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Abstract 

Security-sensitive applications that execute untrusted code often 
check the code’s integrity by comparing its syntax to a known good 
value or sandbox the code to contain its effects. System M is a new 
program logic for reasoning about such security-sensitive applica¬ 
tions. System M extends Hoare Type Theory (HTT) to trace safety 
properties and, additionally, contains two new reasoning principles. 
Eirst, its type system internalizes logical equality, facilitating rea¬ 
soning about applications that check code integrity. Second, a con¬ 
finement rule assigns an effect type to a computation based solely 
on knowledge of the computation’s sandbox. We prove the sound¬ 
ness of System M relative to a step-indexed trace-based semantic 
model. We illustrate both new reasoning principles of System M 
by verifying the main integrity property of the design of Memoir, 
a previously proposed trusted computing system for ensuring state 
continuity of isolated security-sensitive applications. 

1 . Introduction 

Software systems, such as Web browsers, smartphone platforms, 
and extensible operating systems and hypervisors, are designed to 
provide subtle security properties in the presence of adversaries 
who can supply code, which is then executed with the privileges of 
the trusted system. For example, webpages routinely execute third- 
party JavaScript with full access to their content; smartphones ex¬ 
ecute apps from open app stores, often with very lax sandboxes; 
operating system kernels include untrusted (and often buggy) de¬ 
vice drivers; and trusted computing platforms load programs from 
disk and only later verify loaded programs using the Trusted Plat¬ 
form Module (TPM) 1^ . Despite executing potentially adversar¬ 
ial code, all these systems have security-related goals, often safety 
properties over traces a . For example, a hypervisor must ensure 
that an untrusted guest operating system running on top of it can¬ 
not modify the hypervisor’s page table, a webpage must ensure that 
an embedded untrusted advertisement cannot access a user’s pass¬ 
word, and trusted computing mechanisms must enable a remote 
party to check that an expected software stack was loaded in the 
expected order on an untrusted server. 

Secure execution of untrusted code in trusted contexts rely on 
two common mechanisms. First, untrusted code is often run inside 
a sandbox that confines its interaction with key system resources to 
a restricted set of interfaces. This practice is seen in Web browsers. 


hypervisors, and other security-critical systems. Second, code iden¬ 
tification mechanisms are used to infer that an untrusted piece of 
code is in fact syntactically equal to a known piece of code. These 
mechanisms include distribution of signed code, and trusted com¬ 
puting mechanisms that leverage hardware support to enable 
remote parties to check the identity of code on an untrusted com¬ 
puter. Motivated by these systems, we present a program logic, 
called System M, for modeling and proving safety properties of 
systems that securely execute adversary-supplied code via sand¬ 
boxing and code identification. 

System M’s design is inspired by Hoare Type Theory (HTT) I2II - 
I23I1 . Like HTT, a monad separates computations with side-effects 
from pure expressions, and a monadic type both specifies the return 
type of a computation and includes a postcondition that specifies 
the computation’s side-effects. The postcondition of a computa¬ 
tion type in System M uses predicates over the entire trace of the 
computation. This is motivated by our desire to verify safety prop¬ 
erties (H, which are, by definition, predicates on traces. Further, 
the postcondition contains not one but two predicates on traces. 
One predicate, the standard partial correctness assertion, holds if 
the computation completes. The other, called the invariant asser¬ 
tion, holds at all intermediate points of the computation, even if 
the computation is stuck or divergent. The invariant assertion is 
directly used to represent safety properties. 

To this basic infrastructure, we add two novel reasoning prin¬ 
ciples that internalize the rationale behind commonly used mech¬ 
anisms for ensuring secure execution of adversary-supplied code: 
code identification and sandboxing. These rules derive effects of 
untyped code potentially provided by an adversary and, hence, en¬ 
able the typing derivation of the trusted code to include as sub¬ 
derivations, the reasoning of effects of the adversarial code. 

The first principle, a rule called Eq, ascribes the type of a pro¬ 
gram to another program e': if e is syntactically equal to e' and 
e : T, then e' : r. This rule is useful for typing programs read from 
adversary-modifiable memory locations when separate reasoning 
can establish that the value stored in the location is, in fact, syntacti¬ 
cally equal to some known expression with a known type. Depend¬ 
ing on the application, such reasoning may be based in a dynamic 
check (e.g., in secure boot (H the hash of a textual reification of 
a program read from adversary-accessible memory is compared to 
the corresponding hash of a known program before executing the 
read program) or it may be based in a logical proof showing the 


inability of the adversary to write the location in question (e.g., 
showing that guests cannot write to hypervisor memory). 

Our second reasoning principle, manifest in a rule called CON¬ 
FINE, allows us to type partially specified adversary-supplied code 
from knowledge of the sandbox in which the code will execute. The 
intuition behind this rule is that if all side-effecting interfaces avail¬ 
able to a computation maintain a certain invariant on the shared 
state, then that computation cannot violate that invariant, irrespec¬ 
tive of its actual code. The CONFINE rule generalizes prior work of 
Garg et al. on reasoning about interface-confined adversarial code 
in a first-order language fH. The main difference from Garg et 
al. in is that in this paper trusted interfaces can receive and exe¬ 
cute code, in addition to data, from the adversary and other trusted 
components. Our use of the CONFINE rule stresses our view that 
assumptions made about adversarial code should be minimized. In 
contrast, a lot of work, e.g., proof-carrying code 1 ^ . requires that 
adversarial code be checked in a rich type system prior to execu¬ 
tion, which eliminates the need for a rule like CONFINE. Section]^ 
explains intuitions behind these two principles in more detail. 

We show soundness of System M relative to a step-indexed 
model d built over syntactic traces. As in some prior work 13- 
KH, our semantics of assertions and postconditions account 
for interleaving actions from concurrently executing programs in¬ 
cluding adversarial programs and, hence, our soundness theorem 
implies that all verified properties hold in the presence of adver¬ 
saries, which is a variant of robust safety, proposed by Gordon et 
al. (H. System M supports compositional proofs —security proofs 
of sequentially composed programs are built from proofs of their 
sub-programs. System M also admits concurrent composition— 
properties proved of a program hold when that program executes 
concurrently with other, even adversarial, programs. 

System M is the first program logic that allows proofs of safety 
for programs that execute adversary-supplied code with adequate 
precautions, but does not force the adversarial code to be com¬ 
pletely available for typiM. Other frameworks like Bhargavan et 
a/’s contextual theorems 0 ] for F 7 achieve expressiveness similar 
to the Confine rule for a slightly limited selection of trace proper¬ 
ties. (We compare to related work in Section| 7 ]) Our step-indexed 
model of Hoare types is also novel; although our exclusion of pre¬ 
conditions, our use of call-by-name / 3 -reduction, and the inclusion 
of adversary-supplied code make the model nonstandard. 

System M can be used to model and verify protocols as well 
as system designs. We demonstrate the reasoning principles of 
System M by verifying the state continuity property of the design 
of Memoir ESI , a previously proposed trusted computing system. 
For reasons of space, we elide proofs, some technical details and 
several typing rules from this paper. These are presented in the 
accompanying technical appendix. 

2. Term Language and Operational Semantics 

We summarize System M’s term syntax in Figure [T] Pure expres¬ 
sions, denoted e, are distinguished from effectful computations, 
denoted c. An expression can be a variable, a constant, a func¬ 
tion, a polymorphic function, a function application, a polymor¬ 
phic function instantiation, or a suspended computation. Constants 
can be Booleans (tt, ff), natural numbers (n £ A/”), thread iden¬ 
tifiers (t e T), and memory locations {I £ C). We use ■ as the 
place holder for the type in a polymorphic function instantiation. 
Suspended computations comp(c) constitute a monad with return 
ret(e) and bind lete(ei, a;.C2). 

System M is parametrized over a set of action symbols A, which 
are instantiated with concrete actions based on specific application 
domains. For instance, A may be instantiated with memory opera¬ 
tions such as read and w/rite. An action, denoted a, is the applica¬ 
tion of an action symbol A to expression arguments. 


Base values 

bv 

•.:= tt 1 ff 1 t 1 1 n 

Expressions 

e 

::= X \ bv \ Xx.e \ AX.e 



1 ei 62 1 e • 1 comp(c) 

Actions 

a 

::= A 1 a e 1 a • 

Computations 

c 

::= act(a) | ret(e) | fix f{x).c \ c e 


letc(ci,a;.C2) | lete(ei,a;.C2) 
ci; C2 I ei; C2 | if e then ci else C2 


Figure 1 . Term Syntax 


A basic computation is either an atomic action (act(a)) or 
ret(e) that returns the pure expression e immediately. fix/(a;).c 
is a fixpoint operator. /, which represents a suspended fixpoint 
computation, may appear free in the body c. Computation (c e) 
is the application of a fixpoint computation to its argument. 
letc{ci, X.C2) denotes the sequential composition of ci and C2, 
while lete(ei,a:.C2) is the sequential composition of the sus¬ 
pended computation to which ei reduces and C2. In both cases, 
the expression returned by the first computation is bound to x, 
which may occur free in C2. We sometimes use the alternate syntax 
a; •<— ci; C2 and let x = ei; C2. When the expression returned by 
the first computation is not used C2, we write ci; C2 and ei; C2. 

The operational semantics of System M are small-step and 
based on interleaving of concurrent threads. 

Stack K ::= [] | x.c :: K 

Thread T ::= {l\K\c) \ {b\K\e) \ (t; stuck) 

Configuration C ::= <J\>Ti,...,Tn 

A thread T is a unit of sequential execution. A non-stuck thread 
is a triple (t; K\ c) or (t; K\ e), where t is a unique identifier of 
that thread (drawn from a set I of such identifiers), K is the 
execution (continuation) stack, and c and e are the computation and 
expression currently being evaluated. A thread permanently enters 
a stuck state, denoted (r; stuck), after performing an illegal action, 
such as accessing an unallocated memory location. An execution 
stack is a list of frames of the form x.c recording the return points 
of sequencing statements in the enclosing context. In a frame x.c, 
X binds the return expression of the computation preceding c. A 
configuration of the system is a shared state a and a set of all 
threads, cr is application-specific; for the rest of this paper, we 
assume that it is a standard heap mapping pointers to expressions, 
but this choice is not essential. For example, in modeling network 
protocols, the heap could be replaced by the set of undelivered 
(pending) messages on the network. 

For pure expressions, we use call-by-name / 3 -reduction -^p. 
This choice simplifies the operational semantics and the soundness 
proofs, as explained in Sections]^ We elide the standard rules for 
-^p. The small-step transitions for threads and system configura¬ 
tions are shown in Figure[ 2 l The relation a T ^ a’ T' defines 
a small-step transition of a single thread. C ^ C denotes a small- 
step transition for configuration C; it results from the reduction of 
any single thread in C. 

The rules for cr > T ^ a' > T' are mostly straightforward. 
The rules for evaluating an atomic action (R-AcxS and R-AcxF) 
rely on a function next that takes the current store cr and an action 
a, and returns a new store and an expression, which are the result 
of the action. If the action is illegal, then next(cr, a) = (o', stuck). 
If the action returns a non-stuck expression e (rule R-AcxS), then 
the top frame (x.c) is popped off the stack, and c\elx\ becomes the 
current computation of the thread. If next returns stuck (rule R- 
AcxF), then the thread enters the stuck state and permanently re¬ 
mains there. When a sequencing statement lete(ei, x.cf) is evalu¬ 
ated, the frame a:.C2 is pushed onto the stack, and ei is first reduced 
to a suspended computation comp(ci); then ci is evaluated. When 






(j i> T ^ a' > T' 


next((T, a) = (o'\e) e ^ stuck 
(T > (t; x.c :: TtT; act(a)) ^ ct' > (t; if; c[e/a:]) 

next((j, a) = (ct^, stuck) 


R-ActS 


a \> (t; x.c :: if; act(a)) ^ cr^ l> (t; stuck) 

-;----— R-Stuck 

a [> (4; stuck) ^ (T [> (4; stuck) 

cr > (4; X.C :: if; ret(e)) ^ a \> (4; if; c[e/x]) 
e -^R e 

-;-;- - -;- 7 - R-SEQE2 

crl> ( 4 ;if;e) -A,? ct > {i\K-e) 

a \> (4; X.C2 if; comp(ci)) ^ ct 0 (4; X.C2 :: if; Ci) 

CT [> (4; if; (fix/(x).c) e) 

^ (T > (4; if; c[A2.comp(f ix(/(x).c) 2)//][e/x]) 


R-ActF 


R-RET 


R-SeqE3 


R-FIX 


Figure 2. Selected small-step reduction semantics of configura¬ 
tions 


a fixpoint (f ix/(x).c); e is evaluated, / is substituted with a func¬ 
tion whose body is a suspension of f ix/(x).c. 

Any finite execution of a configuration results in a trace T, 
defined as a finite sequence of reductions. With each reduction we 
associate a time point u, also called a (logical) time point. These 
time points on the trace are monotonically increasing. A trace 
annotated with time is written Co Ci ... Cn, where 
Ui < Ui+i. We follow the convention that the reduction from Ci to 
Ci+i happens at time Ui+i and that its effects occur immediately. 
Thus the state at time m is the state in Ci. 


3. Motivating Application 

We briefly review Memoir ll^ . our main application, and highlight 
the challenges in analyzing Memoir to motivate the novel typing 
rules for deriving properties of adverary-supplied code using code 
identification and sandboxing. 

3.1 Overview of Memoir 

Memoir provides state-integrity guarantees for stateful security- 
sensitive services invoked by potentially malicious parties. Such 
services often rely on untrusted storage to store their persistent 
state. An example of such a service is a password manager that re¬ 
sponds with a stored password when it receives a request containing 
a URL and a username. The service would want to ensure secrecy 
and integrity of its state; in this case, the set of stored passwords. 
Simply encrypting and signing the service’s state cannot prevent 
the attacker from invoking the service with a valid but old state, and 
consequently mounting service rollback attacks. For the password 
manager service, this attack could cause the service to respond with 
old (possibly compromised) passwords. Memoir solves this prob¬ 
lem by using the TPM to provide state integrity guarantees. Memoir 
relies on the following TPM features: 

• Platform configuration registers (PCRs) contain 20-byte hashes 
known as measurements that summarize the current configura¬ 
tion of the system. The value they contain can only be updated 
in two ways: (1) a reset operation which sets the value of the 
PCR to a fixed default value; (2) an extend operation which 


1 runmodule{srvc, snap, req, Nloc) = 

2 

3 {skey, freshness-tag) ■<— act(NVRAMread Nloc); 

4 service-state <— check-decryptsnapshot (snap); 

5 

6 {state', resp) 

•<— {srvc ExtendPCR ResetPCR • • •) {state, req); 

7 


Figure 3. Snippet of invokation code 


takes as argument a value v and updates the value of the PCR 
to the hash of the concatenation of its current value with v. 

• Late launch is a command that can be used to securely load 
a program. It extends the hash of the textual reification of the 
program into a special PCR (PCR17). Combined with the guar¬ 
antees provided by a PCR, late launch provides a mechanism 
for precise code identification. 

• Non-volatile RAM (NVRAM) provides persistent storage that 
allows access control based on PCR measurements. Specifi¬ 
cally, permissions on NVRAM locations can be tied to a PCR 
p and value v such that the location can only be read when the 
value contained in p is u. 

Memoir has two phases: service initialization and service in¬ 
vokation. During initialization, the Memoir module is assigned an 
NVRAM block. It is also given a service to protect. The module 
generates a new symmetric key that is used throughout the lifetime 
of the service. It sets the permissions on accesses to the NVRAM 
block to be tied to the hash stored in PCR 17, which contains the 
hash of the code for Memoir and the service. To prevent rollback 
attacks, it uses a freshness tag which is a chain of hashes of all 
the requests received so far. The secret key and an initial freshness 
tag are stored in the designated NVRAM location. The service then 
runs for the first time to generate an initial state, which along with 
the freshness tag is encrypted with the secret key and stored to disk. 
This encryption of the service’s state along with the freshness tag 
is called a snapshot. 

After initialization, a service can be invoked by providing Mem¬ 
oir with an NVRAM block, a piece of service code, and a snap¬ 
shot. In Figure we show a snippet of the Memoir service in¬ 
vokation code. Memoir retrieves the key and freshness tag from 
the NVRAM. Memoir then decrypts the snapshot and verifies that 
the freshness tag in the provided state matches the one stored in 
NVRAM. If the verification succeeds, Memoir computes a new 
freshness tag and updates the NVRAM. Next, it executes the ser¬ 
vice to generate a new state and a response. The new snapshot cor¬ 
responding to the new state and freshness tag is stored to disk. 

The security property we prove about Memoir is that the service 
can only be invoked on the state generated by the last completed 
instance of the service. The proof of security for Memoir requires 
reasoning about the effects the service, which is provided by poten¬ 
tially malicious parties. 

To derive properties of the runmodule code shown above one 
needs to assign a type to srvc, which is provided by an adversary. 
The service srvc, run on line 6, is a function that contains no 
free actions. However, srvc takes as arguments interface functions 
corresponding to every atomic action in our model. Shown above 
are ExtendPCR and ResetPCR which are simply wrappers for 
the corresponding atomic actions. 

For example, the proof requires deriving the following two 
invariant properties about srvc: 

1. It does not change the value of the PCR to a state that allows 
the adversary to later read the NVRAM. 












2. It does not leak the secret key. 

The first invariant is derived using the fact that the service is 
confined to the interface exposed by the TPM. The second invariant 
is derived in three steps: (i) prove that srvc is syntactically equal 
to the initial service; (ii) assume that the initial service does not 
leak the secret key; and (iii) hence infer that srvc does not leak the 
secret key. We next describe System M’s typing rules that enable 
such reasoning. 


3.2 Typing Adversary Supplied Code 

Reasoning about effects of confinement In analyzing programs 
that execute adversary-supplied code, one often encounters a par¬ 
tially trusted program, whose code is unknown, but which is known 
or assumed to be confined to the use of a specific set of interfaces 
to perform actions on shared state. In our Memoir example, every 
program on the machine is confined to the interface provided by 
the TPM. Using just this confinement information, we can some¬ 
times deduce a useful effect-type for the partially trusted program. 
Suppose c is a closed computation, which syntactically does not 
contain any actions and can invoke as subprocedures the compu¬ 
tations Cl,..., Cn only (i.e., c is confined to ci,..., Cn)- If all ac¬ 
tions performed by ci,..., Cn satisfy a predicate ip, then the actions 
performed by c must also satisfy ip, irrespective of the code of c. 
Hence, we can statically specify the effects of c, without knowing 
its code, but knowing the effects of ci,..., c^. 

We formalize this intuition in a typing rule called CONFINE. To 
explain this rule, we introduce some notation. Let r denote types 
in System M that include postconditions for computations and, 
specifically, let cmp(r, p) denote the monadic type of computations 
that return a value of type r and whose actions satisfy the predicate 
p. (The notation cmp(r, p) is simpler than our actual computation 
types, but it suffices for the explanation here.) 

As an illustration of our CONFINE rule, consider any closed ex¬ 
pression e. Assume that e does not contain any primitive actions. 
Then, we claim that for any p, e has the type cmp(bool, p) — l 
cmp(bool, p). To understand this claim, assume that p is the prop¬ 
erty “the action is not a write to memory”. To show that e : 
cmp(bool, yi) —>■ cmp(bool, (p), we must show that for any v : 
cmp(bool, p), ev : cmp(bool, p). Hence, we must show that the 
actions performed by the computation, say c, that e v evaluates to 
do not include write. This can be argued easily: Because e is closed 
and does not contain any actions, the only way this computation 
c could write is by invoking the computation v. However, because 
V : cmp(bool, p), v does not write. Hence, ev : cmp(bool, p). 

In fact, we can assign e any type, including higher-order func¬ 
tion types, as long as the effects in that type are p. Let the predicate 
confine (r) (p) mean that p = p for all nested types of the form 
comp(r', p') in r. Let confine (T) (p) mean that every type r that 
r maps to satisfies confine (r) {p). Let fa(e) = 0 mean that e 
syntactically does not contain any actions. Then, the idea of typ¬ 
ing through confinement is captured by the following rule. The rule 
says that for any e without any actions, if r’s nested effects are p, 
and the types of the free variables in e also only have p as effects, 
then e : r with any predicate p. (Our actual typing rule, shown in 
Section I aH after more notation has been introduced, is more com¬ 
plex. The actual rule also admits predicates over traces, which are 
more general than predicates over individual actions that we have 
considered here.) 


fa(e) = 0 fv(e) € T 
confine (r) {p) confine (T) (p) 

r h e : r 


Confine 


In our Memoir example, we use the CONEINE rule to derive the 
invariants of the service invoked by the attacker. For instance, if we 
can show that each of the TPM primitives do not reset the value 
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Logic var ctx 
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:= 

• 1 r^, a: : b 1 r^, a; : any 

Typing ctx 

F 


• r,a; : r 

Formula ctx 

A 

:= 

• A, 99 

Exec ctx 

2 

:= 

Ub '■ b,Us '■ b,i : b 


Figure 4. 

Types and typing contexts 


of the PCR, then using the CONFINE rule, we can claim that srvc, 
when applied to these primitives does not reset the value of the 
PCR. We revisit this proof with specific details in Section l4^ 

In typing a statically unknown expression using the CONEINE 
rule we assume that the expression is syntactically free of ac¬ 
tions and that all of its free variables are in T. These are reason¬ 
able assumptions for untrusted code to be sandboxed. In an imple¬ 
mentation these assumptions can be discharged either by dynamic 
checks during execution, by static checks during program linking, 
or by hardware-enforced interface confinement. For example, in 
our Memoir analysis, the hardware ensures that TPM state can be 
modified by the service only using the TPM interface. 


Deriving properties based on code integrity Next we need to 
show that srvc does not leak its secret key. We assume this prop¬ 
erty about the initial service Memoir was invoked with. (This prop¬ 
erty could be verified either by manual audits or automated static 
analysis of the service code). However, in our model the adversary 
could invoke Memoir on malicious service code (e.g., replacing a 
legitimate password manager service with code of the adversary’s 
choice). In this case, we can show with additional reasoning that 
srvc invoked later must be the same program as the intial service. 
To allow typing srvc, based on the proof of equality with the initial 
service and an assumed type for the initial service, we add a new 
rule called Eq. 


rFe:r rFe = e^ true 
F F e' : r 


Eq 


The Eq rule assigns the type r of any expression e to any other 
expression e!, which is known to be syntactically equal to e. This 
rule is trivially sound. 

This pattern of first establishing code identity (identify an un¬ 
known code with some known code) and then using it to refine 
types is quite common in proofs of security-relevant properties. A 
similar pattern arises in analysis of systems that rely on memory 
protections to ensure that code read from the shared memory is the 
same as a piece of trusted code, and therefore, safe to execute. In 
Datta et al.’s work on analysis of remote attestation protocols d, 
similar patterns arise for typing potentially modified software exe¬ 
cuted in a machine’s boot sequence. Their model is untyped, but if 
it were to be typed, Eq could be used to complete the proofs. 


4. Type System and Assertion Logic 

The syntax for System M types is shown in Eigure|4l Types for 
expressions, denoted r, include type variables (X), a base type 
b, dependent function types (na;:ri.r 2 ), and polymorphic function 
types (VX.r). Since System M focuses on deriving trace properties 
of programs, the difference between base types such as unit and 
bool is of little significance. Therefore, System M has one base 











type b to classify all first-order terms. The type any contains all 
syntactically well-formed expressions (any stands for “untyped”). 
Memory always stores expressions of type any because the adver¬ 
sary could potentially write to any memory location. 

Similar to HTT, a suspended computation comp(c) is assigned a 
monadic type comp(77c), where 77c is a closed computation type. A 
closed computation type ui.U2-i-{x\T.ipi,ip2) contains two post¬ 
conditions, <751 and ip2- Both are interpreted relative to a trace T. 
ipi, the partial correctness assertion, holds whenever a computa¬ 
tion of this type finishes execution on the trace. It is parametrized 
by the id i of the thread that runs the computation, the interval 
(ub, Tie] during which the computation runs and the return value x 
of the computation. ip2, called the invariant assertion, holds while a 
computation of the computation type is still executing (or is stuck), 
but has not returned. It is parametrized by the id i of the thread 
running the computation and the time interval {ub, tie] over which 
the computation has executed. Formally, a suspended computation 
comp(c) has type comp(Tii. 7 i 2 .T.(a;:r.( 79 i, P2)) if the following two 
properties hold for every trace T: ( 1 ) if a thread t on trace T begins 
to run c at time Ui and at time U2, c returns an expression e, then 
e has type r, and T satisfies ip\\U\, U2, t, e/ui,U2,i, x\, ( 2 ), if a 
thread t on trace T begins to run c at time Ui and at time U2, c has 
not finished, then T satisfies (p2[Ui,U2, t/ui ,U2,i]- The meaning 
of all types is made precise in Section lS^ 

The type rj may be either a partial correctness assertion, 
an invariant assertion, or a pair of both. Fixpoint computations 
have the type na::r.iii.M 2 .T.( 7 /:r.( 79 i, (752), discussed in more de¬ 
tail with typing rules. If / has this type, then for any e : r, 
(/ e) is a recursive computation of closed computation type 

ui.U2.i.{y.T.(pi, ip2)[e/x]. 

Assertions, denoted p, are standard first-order logical formulas 
interpreted over traces. Atomic assertions are denoted P. 

We write a to categorize actions. A fully applied action has the 
type Act (77c), where 77c denotes the action’s effects. 


4.1 Typing Rules 


Our typing judgments use several contexts. 0 is a list of type 
variables. The signature E contains specifications for action sym¬ 
bols. F^ contains logical variable type bindings. These variables 
can only be of the type b or any. F contains dependent variable 
type bindings. A contains logical assertions. The ordered context 
H = Ub, Ue,i provides reference time points and a thread id to 
typing judgments for computations. When typing a computation, 
(ub, Tie] are parameters representing the interval during which the 
computation executes and t is a parameter representing the id of 
the thread that executes the computation. A summary of the typing 
judgments is shown below. 


Ti:b; 0 ; E; F^; F; A Fq e : r 
Tt:b; 0 ; E; F^; F; A Fq c : 77c 
H; 0 ;E;F^;F;AFqc :77 
0 ; E; F^; F; A F (75 silent 

0 ; E; F^; F; A F (72 true 


expression e has type r 
fixed-point computation c has type 77c 
computation c has type 77 
tp holds while reductions are 
non-effectful 
p is true 


When typing expressions and fixpoint computations, u is earli¬ 
est time point when the term can be evaluated on the trace. The first 
three judgments are indexed by a qualifier Q, which can either be 
empty or Ub-Ug.i.p, which we call an invariant. Variables Ub, Uf,, 
and i have the same meaning as the context H, and may appear free 
in p. Rules indexed with Ub-U^.i.p are used for deriving properties 
of programs that execute adversarial code. Roughly speaking, the 
context F in these rules contains variables that are place holders 
for expressions that satisfy the invariant p. We explain here some 
selected rules of our type system; the remaining rules are listed in 
the accompanying technical appendix. 


Silent threads Reductions on a trace can be categorized into those 
induced by the rules R-ActS and R-ActF in Figurej^and those 
induced by other rules. We call the former effectful and the latter 
non-effectful or silent. The typing judgment H; 0 ; E; F^; F; A F 
p silent specifies properties of threads while they perform only 
silent reductions or do not reduce at all. The judgment is auxiliary 
in proofs of both partial correctness and invariant assertions, as will 
become clear soon. The following rule states that if p is true, then 
a trace containing a thread’s silent computation satisfies p. 

H;0;E;F^;F;AF(77true 

H; 0 ;E;F^;F;AF(pok 

--Silent 

H; 0 ;E;F^;F;A F p silent 

The type system may be extended with other sound rules for 
this judgment. For instance, the following is a trivially sound rule: 
Ub-Ue-i; 0 ; E; F^; F; A F (V(, t, Ub<t < Ue ^ -iRead i 11) silent. 
If a thread i is not performing any action during time interval 
{ub, Tie], then it does not read memory during that time interval. 


Partial correctness typing for computations Figure shows se¬ 
lected rules for establishing partial correctness postconditions of 
computations. The judgment U\,U2, i; 0 ; E; F^; F; A F c : X'.r.p 
means that if in trace T any thread with id t begins to execute com¬ 
putation c at time C/i, and at time U2, c returns an expression e, 
and T satisfies all the formulas in A, then e has type r, and T also 
satisfies p\Ui, U2, t, ejui, U2,i, x]. 

In rule ACT, the type of an atomic action is directly derived from 
the specification of the action symbol in a. We elide rules for the 
judgment a :: kct{u\.U2.i.{x'.T.pi, P2)), which derives types for 
actions based on the specifications in E. We explain the invariant 
assertions for actions with the discussion of invariant typing for 
computations. When typing a, the logical variable typing context 
includes U2 : b and i : b, because they may appear free in F and A. 
For brevity, we elide the types for variables of type b, as they are 
obvious from the context. 

Rule Ret assigns e’s type to ret(e). The trace T containing 
the evaluation of ret(e) satisfies two properties, which appear in 
the postcondition of ret(e). First, the return expression, which 
is bound to x, is e (assertion {x = e)). Second, T satisfies any 
property p such that p silent holds. This is because reduction of 
ret(e) is silent. Here e is typed under the time point U2, indicating 
that e can only be evaluated after T12. 

Rule SeqC types the sequential composition letc(ci, 27.02). 
Starting at time point uq and returning at 173, the execution of 
letc(ci, X.C2) in any thread i can be divided into three segments 
for some Tti,Ti2: between time uo and Tti, where thread i takes 
only a silent step, pushing x.C2 onto the stack; between time Tti and 
U2, where the computation ci runs; and between time U2 and U3, 
where C2 runs. The first three premises of SeqC assert the effects of 
each these three segments. When type checking C2, the facts learned 
from the execution so far (po and pi) are included in the context. 
The fourth premise checks that p is the logical consequence of the 
conjunction of the three evaluation segments’ properties. 

The above rules have the same qualifier Q in the premises 
and the conclusion. Rule SeqCComp combines derivations with 
different qualifiers in a sequencing statement. The F context in the 
typing of Cl and C2 must be empty. Because the free variables in ci 
are place holders for expressions that satisfy an invariant pi, while 
the free variables in C2 are for ones that satisfy a different invariant 
P2, Cl and C2 cannot share free variables except those in F^. Note 
that both Q and Q2 can be empty. This rule is necessary for typing 
the sequential composition of two programs that contain differently 
sandboxed code: ci executes sandboxed code that satisfies pi and 
C2 either contains no sandboxed programs, or ones that satisfy p2 . 



Partial correctness typing 

ui;0;E;r^,U2,i;r; A hg a :: PLCt{ub.Ue.j.{x:r.(pi, (^2)) 
«i, U2, i; 0 ; E; r^; F; A h (p silent 
fv(a) € dom(r) let 7 = [ui,U2,i/ub,Ue,j] 
d; E; r^; r h ui.U 2 .i.{x-.T.(pi'y, 1/327 ^ ‘P) ok 
Mi,U2,i;0;E;r^;r; A hg act(a) : ip 2 y A </?) 

U2; 0 ; E; r^, Ml, i; F; A hg e : r 

Ml, M2, *; 0 ; E; F^; F; A h 1/3 silent f''''(e) dom(F) 

Ml, M2, i; 0 ; E; F^; F; A hg ret(e) : x-.t.{{x = e) A p) 

Mo, Ml, i; 0 ; E; F^; M3, F; A, mq < Mi h ifio silent 
Mi,M2,i;0;E;F^,Mo : b,M3;F; A,mi < U 2 ,ipo 

hg Cl : X'.T.ipi 

M2, M3, i; 0 ; E; F^, mo, mi; F, a: : r; A, M2 < M3, po, pi 

hg C2 : y-T .P 2 

0;E;F^,Mi,M2,Mo,M3,i;F,a3:r, 1/ : r'; A 
h ((/Po A p\ A P2) => P true 
0 ; E; F^, Mo, M3, i; F, j/ : r' h 1/3 ok 
fv(letc(ci, X.C2)) C dom(F) 

ij / ^ ^ 

Mo, M3, i; 0 ; E; F ; F; A hg letc(ci, 03.02) : y.r .p 


Mo, Ml, t; 0 ; E; F^, M3; •; A, mo < Mi h po silent 
Ml, M2, t; 0 ; E; F^, mo ; b, M3; •; ipo, mi < U2 

hg Cl : X'.T.pi 

M2,M3,i;0;E;F^;Mo,Mi;2; : r; A, M 2 < U 3 ,po,Pi 

l“Q2 C2 : y-T .p2 

0;E;F^;Mo,M3,i;F,Mi,M2,t/ : r'; A 
h {po A pi A P2) =t> p true 
0 ; E;F^; Mo, uz,i, F, 1/ : r' h </5 ok 

-j-- - - SeqCComp 

Mo,M3,i;0;E;F ;F; A hg2 (ci;c2) : y.r .p 

Invariant typing 

0 ; E; F^, Mo, M3, i; F; A h p ok 
Mo, Ml, i; 0 ; E; F^, M3; F; A, Mo < Mi h po silent 
Mo, Ms, i; 0 ; E; F^; F; A, mo < M3 h p'o silent 
Ml, M2, i; 0 ; E; F^, Mo : b, M3; F; A, mi < M2, po 
hg Cl : x’.T.pi 

Ml, M3, i; 0 ; E; F^; F; A, Mo : b, mi < M3, po hg ci : p\ 

M2, M3, i; 0 ; E; F^; F; A, Mo, Ml, 03 : r, M2 < U 3 ,pQ,pi 
hg C2 : P2 

0;E;F^,Mo,M3,i;F; A h (/3 q => 1/3 true 
0;E;F^,Mo,M3,i;F,Mi; A h [po A p\) =7 i/p true 
0 ; E; F^, Mo, M3, i; F, mi, M2, a 3 :r; A 
h [po A (/3i A P2) => p true 
fv(letc(ci, X.C2)) F dom(F) 

-- SeqCI 

Mo,M3,j;0;E;F ;F; A hg letc(ci,x.C2) : p 


Figure 5. Selected Rules for Computation Typing 


Invariant typing for computations The meaning of the invariant 
typing judgment mi, M 2 , *; 0 ; E; F^; F; A h c : yp is the following: 
Assuming that on a trace T, thread t begins to execute c at time Ui, 
and at time U2 c has not yet returned (this includes the possibility 
that c is looping indefinitely or is stuck), if T satisfies assumptions 
in A, then Talso satisfies (/p[(7i, (72, t/Mi, M 2 , i]. 

We first explain the invariant assertions for actions (rule Act). 
The thread executing the atomic action is silent before the action 


returns. Therefore, the invariant assertion of the action is the con¬ 
junction of the invariant specified in E and the effect of being silent. 

Next, we explain the rule SeqCI for the sequencing statement 
letc(ci, X.C2). We need to consider three cases when deriving the 
invariant assertion p of letc(ci, X.C2) in the interval (mq, M3]: ( 1 ) 
the computation has not started until M3 (2) the computation ci 
started but has not returned until M3, ( 3 ) the computation ci has 
returned, but C2 has not returned until M3. The first five premises 
of rule SeqCI establish properties of a silent thread, the partial 
correctness and invariant assertions of the computation in ci, and 
the invariant assertion of C2. The next three judgments check that 
in each of the three cases (l)-( 3 ), the final assertion p holds. 

For example, comp(letc(act(read e),x.retx)) can be as¬ 
signed the following type. Predicate (mem ( m m) is true when 
at time m, memory location I is allocated and stores the expression 
V. Predicate eval e e' is true if e / 3 -reduces to e', which cannot 
reduce further. Write bleu states that thread t writes to address 
I expression e at time u. The partial correctness assertion states 
that this suspended computation returns what’s stored in the loca¬ 
tion that e reduces to. The invariant assertion states that during its 
execution, the thread executing it does not write to the memory. 
comp(M6.Me.i.(r:any.V(, v, eval e I A mem I v Ue => y = e, 

V(, V, u,ub < u < Ue => -iwrite i I v u)) 

Fixpoint computation The fixpoint is typed under a time point m, 
which is the earliest time when the fixpoint is unrolled. 

Fi = y : T, f : FLy:r.comp{ui.U3.i.{x:Ti.p, p')) 

Ml, M2, i; 0 ; E; F^; F; A, m < mi < U2 F po silent 

M2, M 3 , i; 0 ; E; F^, Ml, m; F, Fi; A, U2 < U3,po Fg c : X'.ri.pi 

M2, M3, i; 0 ; E; F^; Ml, m; F, Fi; A, U2 < U3,po Fg c : p2 

0 ; E;F^, ui,M, M2, M3,i;F,Fi, X : Ti; A F ((/ 3 o A (/ 3 i) => (/3 true 

0 ;E;F^,ui,M 2 ,M 3 ,i,M;F,Fi; A F {po A p2 ^ p') true 
0 ; E; F^, mi, M3, i, m; F, y : r; A F po\u3/u2\ p true 
0 ; E; F^, m; F F Flt/:r.Mi.M 3 .i.(x:Ti.(/ 3 , p) ok 
fv(fix(/(y).c)) £ dom(F)_ 

m; 0 ; E; F-^; F; A Fg f ix(/(y).c) : ny:r.Ui.M3.i.(x:Ti.(/3, p) 
Rule Fix simultaneously establishes the partial correctness and 
invariant assertions of a fixpoint. The third and fourth premises es¬ 
tablish the partial correctness and invariant assertions of the body 
c of the fixpoint. The fifth premise checks that the specified par¬ 
tial correctness assertion p is entailed by the conjunction of the 
assertions of a silent thread and the assertion of the body. The 
next two premises check the invariant assertion p'. For example, 
fix /(x).write X 0 ; read x; lete(/(x-|-l); z.ret z) has the type: 
nx:b.Mi,.Me.i.(i/:any._L, 

Vm, I, v,Ub < M < Me A read i I u 

=> 3 m', m' < m a write i I V u') 

Expression typing Similar to the fixpoint, the expression typing 
judgment is paiumeterized over a time point m, which is the earliest 
time point that e is evaluated. Recall that the typing rule for ret(e) 
types e under the time point when ret(e) returns. This is because e 
can only be evaluated after ret(e) finishes. Most expression typing 
rules are standard. A representative subset is listed in Figure]^ 
Rule Comp assigns a monadic type to a suspended computation 
by checking the computation. Since the suspended computation can 
only execute after Me, the logical context of the first premise can 
safely assume that the beginning time point of c is no earlier than 
Me. As usual, the rule also builds-in weakening of postconditions. 

The rule Eq, motivated in Section iTT] assigns an expression e', 
the type of e, if e is syntactically equal to e'. 

The rule CONEINE, motivated in Section ItTI allows us to type 
an expression from the knowledge that it contains no actions and 
that its free variables will be substituted with expressions with 
effect p. The main generalization from the simpler rule presented 


Fix 









Mi,M2,*;0;S;r^;Me,r; A,Mi > Me I“Q c : {x-.T.ipx,ip2) 

0; E; r^, Ue:b, Mi:b, U 2 :b, i;b; F, a: : r; A h true 

0; E; r^, Ue:b, Ui:b, M 2 :b, i:b; F; A h 1/92 => </52 true 
0; E; F^, Ue:b; F h ui.U2.i.{x-.T.(p'i, ip'2) ok 
fv(c) C dom(F) 

Me;0;E;F^;F; A hg comp(c) ; comp(ui.U2.*.(2;:'r.<^i, (^ 2 )) 
u;0;E;F^;F;A hg e : r 

0; E; F^, m; F; A h e = true fv(e^) C dom(F) 
M;0;E;F^F;Ahg e' : r 

if is trace composable 

Mi,,Me,i;0;E;F^,M;F; A h (/5 silent 

Mi,:b, Me:b, i:b h (/3 ok fa(e) = 0 fv(e) C F 

confine (r) (ub-Ue.i.ip) confine (F) (ub-Ue.i.ip) 

- f -Confine 

u; 0; E; F^; F; A hu^.ue.i.v e : r 

u; 0; E; F^; F; A h e : r Ui,:b, Ue:b, i:b h ip ok 

- j - CONF-SUB 

m;0;E;F^;F; A \-ub.v.e.i.v> e : t 
Figure 6. Selected expression typing rules 


invariant, so they can be narrowed down to any invariant. The 
conclusion must be tagged with the invariant ip, because: ( 1 ) r 
could be a base type, in which case, the invariant is not evident 
in e’s type; and ( 2 ) the types in F are allowed to contain nested 
effects that are not p. Reason ( 1 ) is also why the conclusion of the 
Confine rule is indexed. 

Finally, the time point enables expression types to include facts 
that are established by programs executed earlier. For example, the 
return type of letc(ai; 2.ret(comp(a2))) can be the following, 
assuming that the effect of action ai is Ai i u, and 02 is A2 i u. 
comp(u 6 .Ue.i.(r: b .3 u, ub<u<u^ A A2 i m A 3 j, u'<u A Ai j u' , 

T)). 

We wouldn’t have been able to know that Ai happens before 
A2 without the time point in the expression typing rules. 

Logical Reasoning System M includes a proof system for first- 
order logic, most of which is standard. We show here the rule 
FIonest, which allows us to deduce properties of a thread based 
on the invariant assertion of the computation it executes. 

Ml, M2, *; 0; E; F^; ■; A h c : vs 
0; E; F^; •; A h start(7, c, m) true 
0;E h F^,F ok 

- T -;--Hone; 

0; E; F ; F; A F Vm :b.(M >u) => p[u, u , //mi, M 2 , i] true 


in Section [TT] is that now vs is a predicate over an interval and a 
thread in a trace, not just a predicate over individual actions. The 
intuitive idea behind the rule is similar: If c is a computation that 
is free of actions and confined to use the computations ci,..., Cn 
for interaction with the shared state, and each of the computations 
Cl,..., Cn maintain a trace invariant p while they execute, then as 
c executes, it maintains vs. 

Technically, because p also accepts as arguments any inter¬ 
val on a trace (it has free variables Ub,Ue), we require that p be 
trace composable, meaning that if p holds on two consecutive in¬ 
tervals of a trace, then it hold across the union of the intervals. 
Formally, p is trace composable if Vmi, M2, M3, i. {p{u\,U2,i) A 
p(u2,U3,i}) p(ui,U3,i). Further p has to hold on inter¬ 

vals when thread i is silent. This prevents us from derving arbi¬ 
trary properties of untrusted code. For instance, p cannot be J_. 
(No trace can satisfy the invariant ±.) This rule relies on check¬ 
ing that T relates to the invariant p, represented as the relation 
confine (r) {ub-u^.i.p). This relation means that p is both the par¬ 
tial correctness assertion and the invariant assertion in every com¬ 
putation type comp(r7t;) occurring in r. Similarly, F is required to 
map every free variable in e to a type that satisfied the same rela¬ 
tion. The conclusion is indexed by the invariant Ub-Ue.i-P to record 
the fact that all substitutions for variables in F need to satisfy p. 

confine (b) (ub-Ue.i.p) 

confine (ri) (ub-Ue-i.p) confine (T2) {ub-U^.i.p) 
confine {Ilx.Ti.T2) (ub.Ue.i.p) 
confine (r) (ub.Ue.i.p) 

confine {comp{ub.Ue.i.{x:T.p, p))) (ub.Ue.i.p) 

The Confine rule itself does not stipulate any conditions on 
the predicate p, other than requiring that p be trace composable. 
However, if e is of function type, and expects some interfaces as 
arguments, then in applying CONFINE to e, we must choose a vs to 
match the actual effects of those interfaces, else the application of 
e to the interfaces cannot be typed. 

The rule CONF-SUB constrains a regular typing derivation to a 
specific invariant Ub.u^.i.p. This is sound because the first premise 
does not require the substitutions for F to satisfy any specific 


If we know that a thread t starts executing at time u with payload 
computation c (premise start(t, c, m)) and computation c has an 
invariant postcondition p, then we can conclude that at any later 
point u', p holds for the interval (m, m']. The condition that c 
be typed under an empty F context is required by the soundness 
proofs, which we discuss in Section B^ 

4.2 Examples 

We prove the following state continuity property of Memoir. It 
states that after the service has been initialized at time m with the 
key skey, whenever we invoke the service with state at a time 
point M, later than Ui, it must be the case that, the service was either 
initialized or produced the state state at a time point u' . Moreover, 
there is no invokations of the service between u' and u. 

Vm^, state, state , skey, iinn, Sintt 

serviceJnit(ii„it, skey, service, Sinit)@Mi => 

Vm > Ui. service_try(i, skey, state, state')@u 
3j,u' < u. ((3s.service_invoke(y, skey,s,state)@u' 

V service_try(j, skey, state)@u' 

V servicejnit(j, skey, state)@u') 

A (Vy’F -iservice_invoke(j', skey, ■ ■ ■) o {u , m)])) 

The expressiveness of the first-order logic enables us to specify 
the above property, where the ordering of events is crucial. For the 
full proofs, we refer the reader to our technical appendix. We now 
revisit our discussion in Section[ 3 ]and highlight critical uses of the 
System M program logic in the proof. Recall that Memoir has two 
phases: service initialization and service invocation. During initial¬ 
ization, we assume that the Memoir module runmodule (Figure]^ 
is assigned NVRAM location Nloc and service service. The per¬ 
mission for accessing Nloc (which stores the secret key used to en¬ 
crypt state and the freshness tag) is set to the value of PCR 17 . This 
PCR stores a nested hash sjiash = H{h\\code-hash{service)). 
Here, the term H(x) denotes hash of a:, 11 denotes concatenation, 
h is any value and codeJiash{x) is a hash of the textual reification 
of program x. After initialization, we prove the following two key 
invariants about executions of runmodule: 

1 . PCR Protection: The value of PCR 17 contains the value 
sJiash only during late launch sessions running runmodule. 












2 . Key Secrecy: If the key corresponding to a service is available 

to a thread, then it must have either generated it or read it from 

Nloc. 

We prove these invariants using the HONEST rule, which requires 
us to type runmodule. Since runmodule invokes srvc, we need to 
type srvc. Recall that srvc is adversarially-supplied code. Thus, in 
typing it we make use of the CONFINE and EQ rules. 

For the first invariant, we derive the necessary type for srvc by 
typing against the TPM interface. The particular invariant type we 
wish to derive about srvc is that in a late launch session if the value 
in the PCR has been set to a value that is not a prefix of sJiash, 
then srvc cannot change the value in the PCR to something that is 
a prefix of sJiash (i.e., it cannot fool the NVRAM access control 
mechanism into believing that service was loaded when it was not). 

{srvc ExtendPCR ResetPCR • • •) {state, req) : 
cmp(tii,, tie, i. -'PCRPrefix(pcrl7, 

Vtt € (tJ 6 , tie]. (lnLLSession(ti, rtinmodtile, t) 
-iPCRPrefix(pcrl7, s_/ias/i)@ti) 

To derive this type using the CONFINE rule, it is sufficient to 
show that each function in the TPM interface can be assigned 
this type. For example, the ExtendPCR interface satisfies this 
invariant as it can only extend a PCR value. This derivation is a 
key step in proving that the service does not change the value of 
the PCR to a state that allows any entity other than runmodule to 
read the NVRAM location Nloc (i.e., the first invariant of srvc in 
Section [JTt . 

Similarly, we can prove that the permissions on Nloc are always 
tied to PCR 17 being sJiash, by typing srvc with the invariant 
that the permissions on Nloc cannot be changed. Thus, whenever 
Nloc is read from, the value of PCR 17 is sJiash. We also show 
separately that in any particular instance of runmodule with srvc, 
the state of PCR 17 must be H{h\\codeJiash{srvc)) for some 
h. Therefore, by Nloc’s access control mechanism, we prove that 
H{h\\code_hash{srvc)) = s_has/i and therefore srvc = service 
(where = denotes syntactic equality). 

This is a key step to proving the key secrecy invariant. It al¬ 
lows us to transfer assumptions about the known Memoir service 
service to the adversarially-supplied service srvc. Specifically, we 
assume that service has the following type Tsec (which means that 
if the input of service does not contain a secret s then the out¬ 
put doesn’t contain it) and an invariant KeepsSecret(i, s, Nloc) 
(which means that s is not sent out on the network and the only 
NVRAM location s possibly written to is Nloc). 

Tsec = Hi : msg. cmp{uh, Ue,i. 

{x : msg.Vs. -iContains(i, s) -iContains(a:, s), 

Vs. -iContains(i, s) => KeepsSecret(i, s, Nloc) o {uh, Me])) 

Using the above assumption about service and the proof that 
srvc = service, we use Eq to derive the required type for srvc 
(i.e., the second invariant of srvc discussed in Section luTt . 

5. Semantics and Soundness 

We build a step-indexed semantic model H for types and prove 
soundness of System M relative to that. Central to the seman¬ 
tics is the notion of invariant. We build two sets of seman¬ 
tics: one is a semanticsx for invariants of the form Ub.Ue.i.ip 
{TZSiNvlub.Ue.i.ip}), and the other is an invariant-indexed seman¬ 
tics for types ( 7 ?.f (ub.Ue.i.VJ)!''"]). These two sets coincide when 
confine (r) {ub.Ue.i.ip) holds (Lemma[T}. 

5.1 A Step-indexed Semantics for Invariants 

We define 7 ^V/ivv|il?]T;u, Ti£mv\^\T\u, 7 ?.C;jvv[' 1 ?]t;u ($ = 
Ub.Ue.i.ip), the sets of step-indexed normal forms, expressions, and 
computations that satisfy the invariant ip respectively. T is the trace 


that the term is evaluated on and u is the earliest time point when 
the term is evaluated. These sets categorize invariant-confined ad¬ 
versarial programs. 

We first define the set of step-indexed computations that satisfy 
an invariant p below. An indexed computation (fc, c) belongs to 
this relation if the following holds: (1) during any interval mb and 
Mb when thread t executes c on T, p[uB,UE,t/ub,Ue,i] holds 
on T and (2) if c completes at time mb, then the expression that 
c returns, indexed by the remaining steps of the trace, satisfies the 
same invariant. 

TZCmvlub.Ue.i.plTi-u, = 

{{k, c) I Vmb, Mb, l,u<ub <ue, 
let 7 = [mb, Mb, i/mi, M 2 , i], 

jb is the length of the trace from time mb to the end of T 
je is the length of the trace from time mb to the end of T 

k>jb> je, 

the configuration at time mi is —^ ctj, > • • • , (t; x.c' :: TV; c) • • • 
the configuration at time ue is Ue o • ■ • , (t; 7 T; c'[e'/x]) ■ ■ ■ 
between ub and ue, the stack of thread i always contains x.c'wK 
=> Oe,e') G TZEiNvlub.Ue.i.plr-.UE andTNg p[e'/x]} 
n {{k, c) I 'iuB,UE, L,u <ub < Mb, let 7 = [ms, mb, b/ui,U2,i] 
jb is the length of the trace from time Ms to the end of T, 
je is the length of the trace from time mb to the end of T 

k>jb> je, 

the configuration at time Ms is —^ <76 > ■ • • , (t; x.c' :: K-,c)-- 
between ub and ue (inclusive), the stack of thread i always 
contains prefix x.c'r.K 

=^T)=ep} 

We explain some parts of the definition. At time Ms, thread i 
begins to run c, which is formalized by requiring that the thread 
(t; K-, c) is in the configuration right after time mb. At time ue, c 
returns an expression e' to its context, which is formalized by re¬ 
quiring that thread t’s top frame is popped off the stack with e! sub¬ 
stituted for X, and that the top frame remains unchanged between 
Ub and mb. Both ub and mb are within the last k configurations 
of the trace because the length of the trace is n and k > jb > je. 
The earliest time point to interpret e' is mb, which is when e' is 
returned. The index for the returned expression e' is je, which is 
less than k. Hence, our step-indices count the number of remain¬ 
ing steps in the trace. Moreover, these remaining steps include not 
just steps of the thread containing c, but also other threads. This 
ensures the computation c’s postconditions hold even when it ex¬ 
ecutes concurrently with other threads (robust safety; Theorem|4j. 
Eor the second set, c must not have finished at mb, so between Ub 
and Ue, no frame on the stack x.c' :: K should have been popped. 

The relation TZViNv\ub.Ue.i.p\T-,u includes all normal expres¬ 
sions that are not introduction forms (i.e. functions and suspended 
computations). These normal forms cannot be further reduced in 
any evaluation context, and therefore do not have any effects (they 
are silent). A function is in this relation if, given arguments main¬ 
taining the same invariant, the function body also maintains that 
invariant. As is standard, the step-index of the argument is smaller 
than that of the function because function application consumes a 
step. The case of polymorphic functions is defined similarly. A sus¬ 
pended computation comp(c) belongs to this relation if c belongs 
to the TZCiNv\ub.Ue.i.p\T-,u relation defined earlier. 
TZViNvlub-Ue.i.plT-.u = {{k,ni) \ nf / Ax.e, AA.e, comp(c)} 
U{(fc, comp(c)) I {k,c) G TZCiNvlub.Ue.i.pjr-.v.} 

U{(fc, Xx.e') I Vj, u',j < k,u' > u 

{j,e') G 7l£mvlub.Ue.i.p]r-,u' 

=7 {j,e[e'/x\) G TZ£im\ub.Ue.i.p\T-,u'} 

U {{k,Nx.e) I 'ij,j < k =7 {j,e) G TZ£,Nvlub.Ue.i.pjr;u} 

The definition of the TZ£iNvlub.Ue.i.p}T\u relation is standard: 
if e evaluates to a normal form nf in m steps, then nf has to be in 
the value relation indexed by the number of the remaining steps. 


Ti-£lNv\Ub-Uii.i.ip\x\u- 

{{k, e) |V 0 < m < fc, e —e' -f* 

=> (n - m, e') G 7?.V;jvi/|M6-We.i.V5lr;u} 

This relation includes all programs (including ill-typed ones) 
that satisfy the invariant if executed in a context that satisfies that 
invariant. This relation justifies the soundness of CONFINE rule. 
Confined adversary-supplied code is in the TZSmvlub-Ue.i.ifiJ-r-u 
relation (LemmaO- 

5.2 A Step-indexed Model for Types 

As programs include adversarial code, which requires its evaluation 
context to maintain an invariant, the semantics of types need to he 
indexed by invariants of the form Ub-Ue-i.ip. 

Types The interpretation of an expression type r is a semantic 
type, written C. Each C is a set of pairs; each pair contains a 
step-index and an expression. The expression has to be in normal 
form, denoted nf, that cannot be reduced further under call-by- 
name / 3 -reduction. C contains the set of all possible indices and all 
syntactically well-formed normal forms. This is used to interpret 
the type any of untyped programs. As usual, we require that C 
be closed under reduction of step-indices. Let P(S) denote the 
powerset of S. The set of all semantic types is denoted Type. 

Type=^{C|CGP({(j,nf)|jGN})A 

(Vfc,nf, (fc,nf) G C A j < fc => (j, nf) G C) A 
(Vfc,nf,nf / Ai.e, AA.e, comp(e) => (j, nf) G C)} 

Interpretation of expression types We define the value and ex¬ 
pression interpretations of expression types r (written 71V{^) [r]e;7-;u 
and TZ£{^)\T\e-,T\u), as well as the interpretation of computation 
types rj (written 7ZC{^)l'rile;T;u) simultaneously by induction on 
types ( 4 > = Ub-Us-i.ip). Let 9 denote a partial map from type vari¬ 
ables to Type, T denote the trace that expressions are evaluated on, 
and u denote the time point after which expressions are evaluated. 
LigurefT^defines the value and expression interpretations. We omit 
the cases for any and X. 

The interpretation of the base type b is the same as TZViNv\^\e-,T-,u- 
The type b itself doesn’t specify any effects, and, therefore, expres¬ 
sions in the interpretation of b only need to satisfy the invariant 
< 1 ?. The interpretation of the function type na;:Ti.r2 is nonstan¬ 
dard: the substitution for the variable x is an expression, not a 
value. This simplifies the proof of soundness of function applica¬ 
tion: since System M uses call-hy-name / 3 -reduction, the reduction 
of ei 62 need not evaluate 62 to a value before it is applied to the 
function that ei reduces to. Lurther, the definition builds-in both 
step-index downward closure and time delay: given any argument 
e' that has a smaller index j and evaluates after u' , which is later 
than u, the function application belongs to the interpretation of the 
argument type with the index j and time point u' . The interpreta¬ 
tion of the function type also includes normal forms that are not A 
abstractions that are in the TZVmvlub■Ue.i.iple-,T\u relation. These 
are adversary-supplied untyped code, which is required hy our type 
system to satisfy the invariant Ub-u^.i.ip. 

The interpretation of the monadic type includes suspended com¬ 
putations (k, comp(c)) such that (k, c) belongs to the interpretation 
of computation types, defined below. Because c executes after time 
u, the beginning and ending time points selected for evaluating c 
are no earlier than u. Similar to the interpretation of the function 
type, the interpretation of the monadic type also includes normal 
forms that are not monads, but satisfy the invariant Ub-u^.i.ip. The 
interpretation of the any type contains all normal forms. 

We lift the value interpretation TZV(^)\T\e-,T\-u. to the expres¬ 
sion interpretation in a standard way. 


T\=Pe 

iff 

PeeeiT) 

T \= start( 7 , c, U) 

iff 

thread I has c as the active 



computation with an empty stack 



at time U on T 

T 1 = Vx'.T.p 

iff 

Ve, e G [r| implies T 1 = <p[e/x\ 


We assume a valuation function e(T) that returns the set of 
atomic formulas that are true on the trace T. Lor first-order quantifi¬ 
cation, we select terms in the denotation of the types (|r]), which 
is defined as follows: 

[any] = {e | e is an expression} 

[b] = {e I e -I* hv} 

[n2;:ri.r2] = {Aa;.e | Ve', e' G [n] ei[e'/x\ G [r2]} 

The types of the logical variables can only be b, any and func¬ 
tion types. The interpretation of these types is much simpler than 
that of expressions. 

Interpretation of computation types The interpretation of a 
computation type, TZC{ub-Ufi.i.ip\)\x\T.ip\e-T-,'B, is a set of step- 
indexed computations. The trace T contains the execution of the 
computation. H = Ub, Ue,i has its usual meaning, except that Ub, 
Me, and i are concrete values, not variables. 

We define the semantics of the partial correctness type, denoted 
TZC{ub.Us.i.ipi)lx'.T.(ple-,T\S, below. Informally, it contains the set 
of indexed computations c, if T contains a complete execution of 
the computation c in the time interval {ub, Me] in thread t such that 
c returns e' at time Me and it is also the case that T satisfies p\e! jx^ 
and that e! has type r semantically. Similar to the TZCmv\^\T\u 
relation, these remaining steps include not just steps of the thread 
executing c, but also other threads. The invariant Ub-Ue-i.pi is used 
in the specification of the return value. 

TZC{ub.Ue.i.tpi)lx-.T.ipje-T-,ui,U2,i = {{k,c) I 
jb is the length of the trace from time ui to the end of T 
je is the length of the trace from time M2 to the end of T 

k>jb> je, 

the configuration at time mi is ^ 4 - ab c> ■ ■ ■ ,{f, x.c' :: K-,c)--- 
the configuration at time M2 is ae \> ■ ■ ■ , {t; K; d\e! jx^ ■ ■ ■ 
between mi and M2, the stack of thread i always contains x.dv.K 
=> £ TZ£{Ub.Ue.i.(p-i_)\T}e-,T-,U2 

and T 1 = p[e'/x]} 

The interpretation for the invariant assertions is defined simi¬ 
larly, and we omit its definition. Because c is being evaluated and 
produces no return value, the interpretation need not be indexed by 
an invariant. We write _ in place of the invariant. 


5.3 Examples 

We illustrate some key points of our semantic model. We instantiate 
the next function (Section^ for the read action as follows: 

next(a read ei 62) - I ^ ^ 

next(cr, read ei 62) - < ^ ^ dom(o-) 


Predicate stuck t m is true when thread t is in the stuck state at 
time M. The first example below shows the semantic specification of 
the read action. The partial correctness assertion states that as long 
as the location I being read is allocated when the read happens, 
the thread does not get stuck and the expression y returned hy 
read is the in-memory content v of the location read. The invariant 
assertion states that between the time the read action becomes the 
redex and the time it reduces, the thread is not stuck. 

1 . (n, act(read e)) G 
7 ?.C('I>)|t/:any.V(, M,mem I v U 2 A eval e I 

(y = e) A -.stuck i@(ui,U 2 ]je-,T-,ui,u 2 ,i 

2. 7^C($)|Vj,(,e,^.(-.Write j I et)} 


Interpretation of formulas Lormulas are interpreted on traces. We The second example states that the interpretation of the invariant 

write T N v’ to mean that ip is true on trace T. computation type (Vy, I, e, f.(-.Write j I e t)), which states that no 


TlV{ub.Ue.i.ip)\b\e-,T\u = {{k,e) \ {k,e) G TZVmvlub.Ue.i.(pjg.^r-,u} 

7lV{ub.Ue.i.>p)\Ylx-.Ti.T2\e-,T\-a = {{k, \x.e) I Mj < k,'iu',u' > u, Ve', (j, e') G TZS{ub.Ue.i.ip)lT^}e-,T-y 

=> /x\) G TZE{ub.Ue.i.ifi)lT2\e'/x\\g.r-y}^ 

{(fc,nf) I nf / Xx.e (fc,nf) G 7?.f/jvv'|u6.Ue.i.(p|r;u} 
7^V(^t6.Ue.^.(p)[VX.r]9;r;u = {(fc, AX) I Mj < fc,VC G Type {j,e') G 7^f (u6.Ue.i.v3)[r]9[x^c];r;ii}U 

{(fc,nf) I nf / AX.e => (fc,nf) G 7l£mv[ub.Ue.i.(pjr-,u} 
TZV{ub.Ue.i.(p)lcomp{ui.U2.i.{x-.T.ipi,(p2))je-,T-,u = 

{{k, comp(c)) I Vub,ue, b,u < ub < mb, let 7 = [ms, mb, t/ni, M 2 , i] 

{k, c) G TZC{ub.Us.i.^p)lx-.T"f .i^iy}g;r-,uB ,UE , 1 . n 7^C(_)|v527]0;r;llB.llE.‘}U 
{(fc,nf) I nf / comp(c) => (fc,nf) G 7l£iNvlu\.U2.i.(p\T-,u} 

TZ£{ub.Ue.i.ip)lT\g.r\-a = {{k, e) \ Mj < m,e e' (fc - m, e') G 7?.V(M6.Me.i.(/3)[r]9.r;u} 


Figure 7 . Semantics for inv-indexed types 


thread performs a write action at any time, is the empty set. This 
is because the semantics of invariant assertions require that any 
trace containing the execution of such a computation satisfy this 
invariant. A trivial counterexample is a trace containing a second 
thread that writes to memory. 

5.4 Soundness of the Logic 

We prove that our type system is sound relative to the semantic 
model of Section We start by defining valid substitutions for 
contexts. We write 7 ?.T[ 0 ] to denote the set of valid semantic 
substitutions for 0 . We write 7 i,Q{^)\r'\g-^-r\u to denote a set of 
substitutions for variables in T. Each indexed substitution is a pair 
of an index and a substitution 7 for variables. 

We first prove two key lemmas. Lemma [T] states that when all 
the effects in r are Ub-Us-i.if, then the interpretation of r is the 
same as the interpretation of the invariant Ub-Ue-i.ip. The proof is 
by induction on the structure of r. 

Lemma 1 (Indexed types are confined), confine (r) (ub-Ue-i.ip) 

implies TZS{ub.Ue.i.Lp)\T\g-^r-,u = TZSim\ub.Ue.i.tp\T-,u- 

The following lemma states that if e does not contain any ac¬ 
tions, then e, with its free variables substituted by expressions 
that satisfy an invariant Ub-Ue.i.p, satisfies the same invariant. The 
proof is by induction on the structure of e. 

Lemma 2 (Invariant confinement). Ifp is composable, and thread 
L silent between timeuB and ue implies T N p[ub, ue, I/ub, Me, *], 
thenfa{e) = 0 , fv(e) G dom(7), and (n,7) G 7i£mv\ub.Ue.i.ip\T\u 
imply (n, 67) G TLEmvlub-Ue.i.plr-^u- 

The soundness theorem (Theorem [ 3 ]( has two different state¬ 
ments for judgements with the empty qualifier and the invariant 
qualifier. The ones for judgments with an empty qualifier state that 
for any invariant if the substitution for T belongs to the inter¬ 
pretation of types, then the expression (computation) belongs to 
the interpretation of its type, indexed by the same invariant <&. For 
judgments qualified by a specific invariant <&, the soundness theo¬ 
rem statements are also specific to that <1?. 

Theorem 3 (Soundness). 

Assume thatMA :: ol G 'S,V^,T,n,u,{n,A) G TZA{^)\Q\.-^'r-,u, 

l.(a)£ :: u : b; 0 ;E;r^;r;A h* e : r, V6I G 7 ^r| 0 ], 

V7^ G [T^]. yu, U',U' > U, let 7„ = [U/u], VT, Vn, 7, 
(n;7) G T 1 = A77„7^ implies 

in;ey) G 7^£:('^>)[r77„7^]a.7-;B' 

(b) £ :: Mi, M2, i; 0 ; E; T^; T; A h* c : p, \/ u, ub, ue, 
b s.t. u < Ub < Ue, ter 71 = [mb, mb, t/ui, M2, i] G 
7 ^r[ 0 ], V7^ G [r^l,Vr,Vn,7, (n;7) G ng{^)\Vyiy%.,r 
T 1 = A77i7^ implies (n;c7) G 'JZC{^)[pyyiy^le-,T-,UB,UE,i. 


2 .(a)£ :: u : b; 0 ;E;r^;r;A h e : r, V6I G 7 ^r| 0 ], 
V7^ G [T^], yu, U', U' > U, let 7^ = [(7/m], VT, 
V$, Vn,7, (n;7) G TLg{^)lTyuy^\g.r-,u', T N 
implies (n; 67) G 7^£:(^>)[r77„7^]e;r;^7' 

(b) £ :: mi, M2, i; 0 ; E; T^; T; A h c : 77, V m, mb, ue, 
b s.t. M < Ms < Mb, ter 71 = [mb, Mb, t/Ml, M2, i] 

ye G 7 ^TI 0 ], yy^ G [T^], vr, V(E>. yn,y,{n-,y) G 
'lig{^)\ryiy^'\g..T-,u, T 1 = A77i7^ implies (n-cy) G 
^C('I>)[j 777 i 7 ^]e;r;^B,^E.^ 

(c) £ 0 ;E;r^;r;A h p true, VS G TZTlei yy^ G 

|r^], vr, V-I>, Vn, 7, M, (n; 7) G ng{ii>)lVy%,r-u, T N 
Ay^y implies T 1 = <py^y 

We prove the soundness theorem by induction on typing deriva¬ 
tions and a subinduction on step-indices for the case of fixpoints. 

The proof of soundness of the rule CONFINE ( 2 .(a)) first uses 
Lemma[T]to show that a substitution 7 for T, where 7 maps each 
variable in T to the type interpretation of T (a;) is also a substitution 
where 7(0;) belongs to the interpretation of the invariant. Then we 
use Lemma [ 2 ] to show that the untyped term ey belongs to the 
interpretation of the invariant. Applying Lemma [T] again, we can 
show that ey is in the interpretation of r. The confine relations in 
the premises are key to this proof. The proof of the rule CONF-SUB 
uses the induction hypothesis directly: a derivation with an empty 
qualifier can pick substitutions with any invariant ip. 

To prove the soundness of HONEST, we need to show that given 
any substitution (n, 7) for T, the trace satisfies the invariant of c. 
From the last premise of HONEST, we know that c starts with an 
empty stack, c can never return because there is no frame to be 
popped off the empty stack. Therefore, at any time point after c 
starts, the invariant of c should hold. However, the length of the 
trace after c starts, denoted m, is not related to n. To use the 
induction hypothesis, we need to use substitution (m, 7) for T. 
Because T is empty, we complete the proof by using the induction 
hypothesis on the first premise given an empty substitution (m, •). 

An immediate corollary of the soundness theorem is the follow¬ 
ing robust safety theorem, which states that the invariant assertion 
of a computation c’s postcondition holds even when c executes con¬ 
currently with other threads, including those that are adversarial. 
The theorem holds because we account for adversarial actions in 
the definition of TZC(ub.Ue.i.y>)\p\e-,A-,s. A similar theorem holds 
for partial correctness assertions. 

Theorem 4 (Robust safety). If 

• Ml, M 2 , i; A h c : p, T i= A, 

• T is a trace obtained by executing the parallel composition of 

threads of ID (n, .. bk), 

■u, • at time Ub, the computation that thread ij is about to run is c 

• at time Ue, c has not returned 



then T 1= ^p\Ub, Ue, tjjui, U 2 ,i]. 

6. Discussion 

Proving non-stuckness We can use System M’s invariant asser¬ 
tions to verify that a program always remains non-stuck. Recall 
the example from Section [531 We can prove non-stuckness for a 
computation c by showing that it has the invariant postcondition 
(-istuck i)@{ub,Ue]- To complete such a proof, we would require 
that all action types assert non-stuckness in their postconditions un¬ 
der appropriate assumptions on the past trace. For instance, the first 
example in Section states that we can assert non-stuckness in 
the postcondition of the read action, if the memory location being 
read has been allocated. 

Choice of reduction strategy System M uses call-by-name /3- 
reduction for expressions, which simplies the operational semantics 
as well as the soundness proofs. Other evaluation strategies we have 
considered force us to use /5-equality in place of syntactic equality 
in Eq. This makes the system design, semantics, and soundness 
proofs very complicated. In particular, the Eq rule that uses /3- 
equality cannot be proven sound in a model where expressions are 
indexed by their reduction steps. 

7. Related Work 

Hoare Type Theory (HTT) In HTT l2Tl - [2^ . a monad classifies 
effectful computations, and is indexed by the return type, a pre¬ 
condition over the (initial) heap, and a postcondition over the ini¬ 
tial and final heaps. This allows proofs of functional correctness of 
higher-order imperative programs. The monad in System M is mo¬ 
tivated by, and similar to, HTT’s monad. However, there are several 
differences between System M’s monad and HTT’s monad. A Sys¬ 
tem M postcondition is a predicate over the entire execution trace, 
not just the initial and final heaps as in HTT. It also includes an in¬ 
variant assertion which holds even if the computation does not re¬ 
turn. This change is needed because we wish to prove safety prop¬ 
erties, not just properties of heaps. Although moving from predi¬ 
cates over heaps to predicates over traces in a sequential language 
is not very difficult, our development is complicated because we 
wish to reason about robust safety, where adversarial, potentially 
untyped code interacts with trusted code. Hence, we additionally 
incorporate techniques to reason about untyped code (rules Eq and 
Confine). We also exclude standard Hoare pre-conditions from 
computation types. Usually, pre-conditions ensure that well-typed 
programs do not get stuck. We argued in Section that in Sys¬ 
tem M this property can be established for individual programs us¬ 
ing only invariant postconditions. The standard realizability seman¬ 
tics of HTT ll^ are based on a model of CPOs, whereas our model 
is syntactic and step-indexed (a. 

RHTT ll2a is a relational extension of HTT used to reason about 
access and information flow properties of programs. That extension 
to HTT is largely orthogonal to ours and the two could potentially 
be combined into a larger framework with capabilities of both. 
The properties that can be proved with RHTT and System M are 
different. System M can verify safety properties in the presence of 
untyped adversaries; RHTT verifies relational, non-trace properties 
assuming fully typed adversaries. 

LS^ and PCL System M is inspired by and based upon a prior 
program logic, LS^, for reasoning about safety pro pert ies of first- 
order order programs in the presence of adversaries Il4ll . The main 
conceptual difference from LS^ is that in System M trusted and un¬ 
trusted components may exchange code and data, whereas in LS^ 
this interface is limited to data. Our CONFINE rule for establishing 
invariants of an unknown expression from invariants of interfaces 


it has access to is based on a similar rule called RES in LS^. The 
difference is that System M’s rule allows typing higher-order ex¬ 
pressions, which makes it more complex, e.g., we must index the 
typing derivations with invariants and define interpretations for in¬ 
variants based on step-indexing programs to obtain soundness. LS^ 
itself is based on a logic for reasoning about Trusted Computing 
Platforms ca and Protocol Composition Logic (PCL) for reason¬ 
ing about safety properties of cryptographic protocols il. 

Rely-guarantee reasoning There are two broad kinds of tech¬ 
niques to prove invariants over state shared by concurrent pro¬ 
grams. Coarse-grained reasoning followed in, e.g.. Concurrent 
Separation Logic (CSL) H and the concurrent version of HTT ||23|], 
assumes clearly marked critical regions and allows programs to vi¬ 
olate invariants on shared state only within them. This assumes 
that resource contention is properly synchronized, which is gener¬ 
ally unrealistic when executing concurrently with an unspecified 
adversary. In contrast, fine- grai ned reasoning followed in, e.g., 
the method of Owicki-Gries 12^ and its successor, rely-guarantee 
reasoning d, makes no synchronization assumption, but has a 
higher proof burden at each individual step of a computation. In 
proofs with System M, including the Memoir example in this pa¬ 
per, we use a template for rely-guarantee reasoning taken from 
LS^. The methods used to prove invariants within this template are 
different because of the new higher-order setting. 

Type systems that reason about adversary-supplied code The 

idea of using a non-informative type, any, for typing expressions 
obtained from untrusted sources goes back to the work of Abadi Qi. 
Gordon and leffrey develop a very widely used proof technique 
for proving robust safety based on this type d. In their system, 
any program can be syntactically given the type any by typing all 
subexpressions of the program any. Although System M’s use of 
the any type is similar, our proof technique for robust safety is 
different. It is semantic and based on that in PCL—we allow for 
arbitrary adversarial interleaving actions in the semantics of our 
computation types (relation TZC{f^)\rj\g-^-r-^s in Section [5T2t . Due 
to this generalized semantic definition, robust safety (Theorem |4j 
is again a trivial consequence of soundness (Theoreml^. 

Several type systems for establishing different kinds of safety 
properties build directly or indirectly on the work of Abadi Qi and 
Gordon and Jeffrey 11 ^ . Of these, the most recent and advanced are 
RCE d and its extensions (mi. RCE is based on types refined 
with logical assertions, which provide roughly the same expressive¬ 
ness as System M’s dependently-typed computation types. By de¬ 
sign, RCE’s notion of trace is monotonic: the trace is an unordered 
set of actions (programmer specified ghost annotations) that have 
occurred in the past Cl . This simplified design choice allows scal¬ 
able implementation. On the other hand, there are safety properties 
of interest that rely on the order of past events and, hence, cannot be 
directly represented in RCE’s limited model of traces. An example 
of this kind is measurement integrity in attestation protocols 11(1 
Theorems 2 & 4]. In contrast to RCE, we designed System M for 
verification of general safety properties (so the measurement in¬ 
tegrity property can be expressed and verified in System M), but 
we have not considered automation for System M so far. 

E* extends E7 with quantified types, a rich kinding system, 
concrete refinements and several other features taken from the lan¬ 
guage Eine (H. This allows verification of stateful authorization 
and information flow properties in E*. Quantified predicates can 
also be used for full functional specifications of higher-order pro¬ 
grams. Although we have not considered these applications so far, 
we believe that System M can be extended similarly. 

The main novelty of System M compared to the above men¬ 
tioned line of work lies in the Eq and CONFINE rules that statically 
derive computational effects of untyped adversary-supplied code. 


Code-Carrying Authorization (CCA) f23l is another extension 
to Cl that enforces authorization policies. CCA introduces dy¬ 
namic type casts to allow untrusted code to construct authoriza¬ 
tion proofs (e.g., Alice can review paper number 10). The language 
runtime uses logical assertions made by trusted programs to con¬ 
structs proofs present in the type cast. The soundness of type cast in 
CCA relies on the fact that untrusted code cannot make any asser¬ 
tions and that it can only use those made by trusted code. Similar 
to CCA, System M also assigns untrusted code descriptive types. 
CCA checks those types at runtime; whereas the CONFINE rule as¬ 
signs types statically. 

Verification of TPM and Protocols based on TPM Existing work 
on verification of TPM APIs and prot ocols relying on TPM APIs 
uses a variety of techniques fA fl0l4l2Lm . Gurgens et al. uses au¬ 
tomaton to model the transitions of TPM API s Several re¬ 
sults HEIEI use the automated tool Proverif (1. Proverif trans¬ 
lates protocols encoded in Pi calculus into horn clauses. To check 
security properties such as secrecy and correspondence, the tool 
runs a resolution engine on these horn clauses and clauses repre¬ 
senting an Dolev-Yao attacker. Proverif over-approximates the pro¬ 
tocol states and works with a monotonic set of facts. Special tech¬ 
niques need to be applied to use Proverif to analyze stateful proto¬ 
cols such as ones that use TPM PCRs d. System M is more ex¬ 
pressive: it can model and reason about higher-order functions and 
programs that invoke adversary-supplied code. Reasoning about 
shared non-monotonic state is possible in System M. However, 
verification using System M requires manual proofs. It is unclear 
whether our Memoir case study can be verified using the techniques 
introduced in fl^ . as it requires reasoning about higher-order code. 

A proof of safety formalized in TLA-l- d was presented 
in the Memoir paper (^. They showed that Memoir’s design 
refines an obviously safe specification that cannot be rolled back 
thus implying the state integrity property we prove. However, this 
proof assumes that the service being protected is a constant action 
with no effects. Consequently, they do not need to reason about 
the service program being changed or causing unsafe effects. Our 
proofs assume a more realistic model requiring that the identity of 
the service be proven and that the effects of the service be analyzed 
based on the sandbox provided by the TPM. 

8. Conclusion 

System M is a program logic for proving safety properties of pro¬ 
grams that may execute adversary-supplied code with some pre¬ 
cautions. System M generalizes Hoare Type Theory with invariant 
assertions, and adds two novel typing rules—E q and CONFINE— 
that allow typing adversarial code using reasoning in the assertion 
logic and assumptions about the code’s sandbox, respectively. We 
prove soundness and robust safety relative to a step-indexed, trace 
model of computations. Going further, we would like to build tools 
for proof verification and automatic deduction in System M. 
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{{k, c) I Ve, Vu', ub, ue, l,u < u' < ub < ue, 
let 7 = [ub,ue, t/wi, U 2 , *] 

(fc,e) e TZ£{Ub.Ue.i.lfil)[Tyjg.r;u' 

{k,ce) G TZC{uh.Ue.i.ipi)l{y.r'~f.(pj)[e/x]jg-,TinB,nE,i. 
n7?.C()[<|(9 7 [c/®]]6;T;ub 


A. Semantics 

Semantics for invariant properties Next we define a logical rela¬ 
tion indexed only by an invariant property Ub-Ue.i.ip. 


= {{kyVif) \ nf / Ax.e, AX.e, comp(c)} 
U{(fc, comp(c)) I (fc, c) e TZCmvlub.Ue.i.ipjT-,u} 

U{(fc, Xx.e'} I Vj, u ,j < k,u > u 

{j,e') G 7^£■/ivv[^l6•Me•^•V3]r;u' 

=> O', e[e73;]) C TZ£iNvlub-Ue.i.ipj-r;u>} 

U {{k,Ax.e) I yj,j < k => 0, e) G TZ£iNvlub-u^-i-‘filT-,u} 

TZ£lNvlUb-Ue.i.(plT-,u = 

{{k, e) |V 0 < m < fc, e —e' -m- 

=> (n - m, e') G TZVimlub.Ue.i.ip\r-,u} 

7iCiNvlub.Ue.i.(p\T-,u = {(fc,c) I 
Vub,ue, t, m < Us < u_b, let 7 = [us, us, t/ui, U2, i], 
jb is the length of the trace from time us to the end of T, 
y'e is the length of the trace from time us to the end of T 

k>jb> je, 

the configuration at time us is —^ ab t> ■ ■ ■ , {t; x.c' :: K-,c)--- 
between us and us (inclusive), the stack of thread i always 
contains prefix x.c::K 
=>TI=e V5}n 

{(fc,c) I 'iUB,UE,i,U <ub < Ue, 

let 7 = [us, Us, t/ui, U2, i], 

jb is the length of the trace from time us to the end of T 
je is the length of the trace from time us to the end of T 
k>jb> je, 

the configuration at time ui is —5->- cr;, > • • • , (t; x.c' :: if ; c) • • • 
the configuration at time us is (Te > • • • , (t; if; c'[eYx]} • • • 
between us and us, the stack of thread i always contains x.c'::K 
0 e,e') G 7 ?.£/jvv[ub.Ue.i.(p]r;uE andTNg 

' 7 ?-i^/w|u 6 .Ue.i.(/ 3 ]r;u = 

{(fc,c) I Ve, (fc,e) G 7^£:/Jvv[u^,.Ue.^.^/3]r;u => 

(fc, c e) G 7?.C/ivv|u6.Ue.i.V3lr;v} 

Semantics for invariant indexed types Figure [7^ summaries the 
interpretation of types indexed by the invariant property Ub.Ue.i.tp. 
The invariant property is used to constrain the behavior of expres¬ 
sions that evaluate to normal forms that do not agree with their 
types. 

TZC(ub.Ue.i.y:>l)[x-.T.ipjg.r-,ui,U2,i = {{k,c) I 
jb is the length of the trace from time ui to the end of T 
js is the length of the trace from time U2 to the end of T 

k>jb> je, 

the configuration at time ui is ^7 ab o ■ ■ ■ , (t; x.c' :: K'c}--- 

the configuration at time U2 is Ce > • • • , (t; K\(f\e' jx^i ■ ■ ■ 

between ui and U2, the stack of thread i always contains x.dv.K 
=> (je,e') G Tff (u6.Ue.i.(pi)[r]9;r;U2 
and T 1 = </p[e'/x]} 

'^C(-)IV’]e;r;ui.u2,i = {(fc,c) I 
jb is the length of the trace from time ui to the end of T, 

y'e is the length of the trace from time U2 to the end of T 

k>jb> je, 

the configuration at time ui is —7 ab c> ■ ■ ■ , (t; x.c' v. K\c) ■ ■ ■ 


TZA{Ub.Ue.i.'p){kct{ui.U2.i.{x\T.ipi,ip2))le-,T-,u = 

{(fc, a) I Vufl, u_B, t, u <ub < Ue, 
let 7 = [us, Ub, t/ui, U 2 , i] 

(fc,act(a)) G {TZC{ub.Ue.i.(fi)lx-.Tj.(pEy]g.r-,u-,uB,uE,i. 
mZC{ub.Ue.i.(p)ltp 2 'yjeiTiu-,UB,UE,i.)} 

TZA{ub.ue.i.if')\nx-.T.Q\e.r\u = 

{(fc,a) I Ve,Vu', ,u' >u, (fc,e) G Tl£(ub.Ue.i.ip)\T\g.r-y 
=> {k,ae) G 7 iA{ub.Ue.i.ip)la[e/x]}g;r-,u'} 

TZA{ub.Ue.i.ip)lVX.alg;r-,u = 

{(fc,a) I Vj < fc,VC G Type 

=> {j,a •) G TZA{Ub.Ue.i.(p)loilg[Xe^C]-,T-,n} 

Formula semantics 

|any] = (e | e is an expression} 

[b] = {e I e bv} 

[nx:Ti.r2] = {Ax.e | Ve', e' G [n] => ei[e'/x] G [r2]} 


T\=Pe 

iff 

Pe€e{T) 

T 1= start(7, c, ?7) 

iff 

thread I has c as the active 
computation with an empty stack 
at time U on T 

T N 'ix'.T.ifi 

iff 

Ve, e G |r] implies T 1= (p[e/x] 

T N 3x-.T.ip 

iff 

3e, e G |r] and T 1= (/^[e/x] 

B. Term Language and Operational Semantics 

Syntax 

Base values bv 


tt 1 ff 1 t 1 7 1 n 

Expressions e 

1 

X 1 6 u 1 Xx.e 1 AX.e 
ei 62 1 e ■ 1 comp(c) 

Actions a 


A 1 a e 1 a ■ 

Computations c 

:;= 

act(a) 1 ret(e) | fix f{x).c \ c e 


letc(ci,X.C 2 ) I lete(ei,X.C 2 ) 

ci; C 2 I ei; C 2 

if e then Ci else C 2 


Expr types 

T 

:= A 1 b 1 nx:ri.T2 | VA.r | comp(?7c) | any 

Comp types 

V 

:= X'.T.ip 1 ip 1 {x'.T.p, p') 

Closed c types 

Vc 

:= Ui.U 2 .i.{x-.T.pi,p 2 ) 

Ilx:T.Ui.U2.i.{y:T.pi,p2) 

Assertions 

if 

~ P 1 ei = 62 1 v? e 1 T 1 _L j -173 

ipi A 732 1 <Fl V 1/32 1 Vx'.T.p \ 3 x\T.p 

Action Kinds 

a 

:= kct{rje) 1 nx:T.a | MX.a 

Type var ctx 

e 

:= ■|e,A 

Signatures 

E 

:= • 1 E, A :: a 

Logic var ctx 

rt 

:= ■ 1 r^, X : b 1 r^, X : any 

Typing ctx 

r 

:= ■|r,x:T 

Formula ctx 

A 

:= ■|A,(p 

Exec ctx 

H 

:= U6 : b, Ue : b, i : b 


Beta reductions We define the /^-reduction rules below. 








7lV(M6-We.*.(p)[any]o;r;u = {(fc,nf) | fc G N} 

nV{ub.Ue.i.^)lX]e-,r-,u =e{x) 

7lV{ub.Ue.i.ifi)\ble.r-,u = {{k,e) \ (fc,e) G TZVmvlub.Ue.i.ip\e-,T-,-a} 

7^V(M6.^^e.^.(p)I^a::n■T2]e;r;ll = {{k,Xx.e) \ \tj < k,W,u' > u,\/e', (j, e') G 7^£■(M6■Me■^•^/5)[n]e;r;u' 

=> {j,ei[e'/x\) G TZS{ub.u^.i.ip)lT2[e' /x]\e-T-,-a'}^ 

{(fc, nf) I nf / \x.e (fc,nf) G TZ£mvlub.Ue.i.if>\r-u} 
7LV{ub.Ue.i.(p)\iX.T\e-,T-,u = {(fc, AX) | Vj < fc,VC G Type => {j,e') G TZ£{ub.Ue.i.ip)lT]g[x^c]-,T-,u}'J 

{(fc,nf) I nf / AX.e => (fc,nf) G ^f/ivv|u6-Ue-j.y5lr;u} 
TZV{ub.Ue.i.(p)lcomp{ui.U2.i.{x-.T.ipi,(p2))je-,T-,n = 

{(fc, comp(c)) I 'iuB,UE, l,u<ub < Mb, let 7 = [msjMb, t/Mi,M 2 , i] 

(fc, c) G 'llC{ub.Ue.i.ip)lx\T^.ipi^\g-r-,uB,V.E,I. n 7^C(_)[v527]0;r;uB.l^^3.l}U 
{(fc,nf) I nf / comp(c) =7 (fc,nf) G 7L£iNv\ui.U2.i.ip\r-,u} 

7i£{ub.Ue.i.if)lT\e.r-,u = {(fc, e) | Vj < m,e e! (fc - m, e') G 7?.V(M6.Me.i.v5)[r]9;r;u} 


Figure 8. Semantics for inv-indexed types 


e —>'/3 e 


ei —ei 


(Xx.e) 62 -^p e[e2/®] 


AX.e ■ —>p e 61 62 —>/3 e'l 62 

61 —>'/3 e'l 


61 • -^p 61 ■ 


a \> T ^ a' t> T' 


next(CT, a) = (cr',e) e 7^ stuck 
a > (t; i.c :: X; act(a)) ^ a' t> (t; X; c[e/a:]) 

next((j, a) = (a^, stuck) 


R-ActS 


a t> (t; x.e :: X; act(a)) ^ cr^ l> (t; stuck) 

-;---;-— R-STUCK 

a t> (t; stuck) ^ ct > (t; stuck) 

a t> (t; x.c A'; ret(e)) ^ cr l> (t; X; c[e/a:]) 

a t> (t; X; lete(ei, x.62)) ^ cr > (t; a;.C2 > X; ei) 

6 —>p 6 

-;-;---;- 7 - R-SEQE2 

crt> (t;X;e) ^p(Jt> (t;X;e) 

a l> (t; a:.C2 X; comp(ci)) ^ cr > (t; a;.C2 :: X; ci) 


R-ActF 


R-Ret 


R-SeqE1 


R-SeqE3 


a > (t; X; letc(ci, x.62)) ^ cr > (t; a;.C2 :: X; Ci) 


R-SeqC 


CT [> (t; X; (f ix/(a;).c) e) 

^ (T 0 (t; A'; c[A2.comp(f ix(/(a;).c) 2)//][e/a;]) 


C^C 

a T o' '> T' 

o > T,Ti,... ,Tn ^ o' > T',Ti,... ,Tn 


e h E ok 


0 h E ok 0; E; • h Q ok 
0 h ■ ok 0 h E, A :: a ok 


0 ;EI-rok 


0 1-Eok 0;EI-rok 0; E; T h r ok 

0; E h ■ ok 0; E h r, a; : r ok 


0 ;E;r h A ok 


0;EI-rok 0;E;ri-Aok T h ya ok 

0 ;E;r h • ok 0; E, T h A, yp ok 


r h (/p ok 


r h i/p ok fv(e) G dom(r) 
ThPok V \- ip eok 

r h (/Pi ok r h y52 ok 

r h T ok r h ± ok r h (/Pi A (/P 2 ok 


r h yai ok r h <^2 ok 

r h (pi V (/P 2 ok 


r h (p ok r = 6 or any F, x : r h (p ok 

r I-i(p ok r h Vx:r.(p ok 

r = 6 or any F, x : r h (p ok 


F h 3 x:r.(p ok 
fv(ei) U fv(e2) C dom(F) 


C. Well-formedness Judgments 

Well-formedness judgments for contexts and types 


F h ei = 62 ok 








































xee e;Ei-rok 
e;E;r h X ok 


a; : T G r 


e;E;r h r ok 


0; E; r h ri ok 0; E; F, a; : ri h r 2 ok 
0; E; r h nx:Ti.T 2 ok 


0; E; r h 77c ok 
0; E; r h comp(77c) ok 

0,X;E;r h T ok 
0;E;ri-VX.r ok 


0; E h r ok 
0;E;ri-&ok 

0;EI-rok 
0; E; r h any ok 


0; E; r h a ok 


0; E; r h rjc ok 
0; E; r h Act(77c) ok 

0; E; r h r ok 0; E; F, a: : r h a ok 
0; E; F h na^ir.o: ok 

0,X;E;F h a ok 
0;E;F h VX.a ok 


0; E; F h r]c ok 


u;0;E;F^;F; A h e : r 

0;E;u,F^;F h A ok 

_E-Var 

n;0;E;F^;F; A h x : r 

0; E; F^, m, F h A ok f'v(e) ^ dom(F) 
m; 0; E; F^; F; A h e : any 

0;E;F^,u,F h A ok 

--E-BaseVal 

w;0;E;F^;F; A h hv : b 


0;E;F^,u,F h n ok 

m; 0; E; F^; F, a; : n; A hq e : r 2 

-f- E-Fun 

u; 0; E; r^; F; A hg \x.e : Hx\Ti.r 2 

m; 0; E; F^; F; A hq ei : \Ix-.ti.T 2 
u; 0; E; F^; F; A hq 62 : ti 

_ E-A.PP 

m; 0;E;F^;F; A hq ei 62 : r 2 [e 2 /a;] 

m; 0,X;E;F^;F;A hq e : r 

-f- - - E-TFun 

u- 0; E; F^; F; A hq AA.e : VX.r 

M;0;E;F^;F;Ahqe:VA.ri 
0;E;F^,u,F h r ok 

_ ’ ’ _ E-TAPP 

w;0;E;F^;F;A hq e • : ri[r/X] 


0; E; F, Mi:b, U 2 :b, i:b h r ok 

F, ui'.h, M 2 :b, i:b, a; : r h i/Ji ok F, Mi:b, U 2 :b, i:b h 1 /P 2 ok 
0; E; F h ui.U 2 .i.{x\T.tpi, (^ 2 ) ok 

0; E; F h r ok 0; E; F, 7 / : r h ui.U 2 .i.{x-.Ti.ipi, ^ 2 ) ok 
0; E; F h n2/:r.Mi.M2.7.(a::ri.(/3i, <^ 2 ) ok 


D. Typing Rules 

Typing for simple terms 


F he 6 : T 


x : T gT r,x : Ti e T 2 

F h a; : r 0; T h Aa;.e : na;:Ti.T 2 


u;0;E;F^;F; A hq e : r 

0; E; F^, u; F; A h e = 6^ true fv(e^) C dom(F) 
w;0;E;F^;F;Ahq e' :r 


(fi is trace composable 
Ub,Ue,i; 0; E; F^, u; F; A h t/j silent 
U(,;b, Ue:b, hb h (73 ok fa(e) = 0 fv(e) C F 

confine (r) (ub-Ue.i.ip) confine (F) (ub.Ue.i.Lp) 

--Confine 

m; 0;E;F ; F; A e ; r 

m; 0; E; F^; F; A h e : r M(,:b, Ue:b, i:b h ip ok 

- 1 -Cone-sub 

m; 0; E;F^; F; A e : t 


F h 61 : na;:ri.T 2 F h 62 : ti 
F h 61 62 : T 2 


F h 6 : any 


Confine relation 


confine (b) (ub-Ue.i.ip) 


ui, U 2 ,i; 0; E; F^; Me, F; A,mi > Me hq c : {x'.T.ipi, (p 2 ) 
0; E; F^, Meib, Mi:b, M 2 :b, i:h; F, a; : r; A h (/3i ifi'i true 
0;E;F^,Me:b,Mi:b,M2:b,7:b;F; A h 1^2 <^2 true 

0; E; F^, Me:b; F h ui.U 2 .i.{x:r.ip[, ip' 2 ) ok 
fv(c) C dom(F) 

Me; 0; E; F^; F; A hq comp(c) : comp(Mi.M2.j.(a;:T.(^i, 


confine (n) {ub.Ue.i.(p) confine (T 2 ) (ub.Ue.i.tp) 
confine (n_:Ti.T 2 ) (ub-Ue-i-ip) 

confine (r) {ub.Ug.i.Lp) 

confine (comp(M6.Me.t.(a::T.(/?, (p))) {ub-u^.i.ip) 


Typing rules for silent threads 

H; 0; E; F^; F; A h (/3 silent 

0;E;F^;H,F;Ah(ptrue F^,H,Fh(pok 

- j -Silent 

H;0;E;F^;r;A h ip silent 


Typing rules for expressions 


Typing rules for actions 






































u : b; 0; E; F^; F; A |-q a :: a 


e;E;F^,u : b;F h A ok A :: q e E 
u : b;e;E;F^;F; A h A a 

u : b; 0; E; F^; F; A Fq a :: Ux'.r.a 
u : b;0;E;F^;F; A l-Q e : r 
M : b; 0; E; F^; F; A hq a e :: a[e/a:] 

u : b;0;E;F^;F; A l-Q a :: VX.a 
0; E; F^, u : b, F h r ok 
u : b; 0; E; F^; F; A Fq a • :: a[T/X] 


Logical reasoning rules 


0; E; F^; F; A F ip true 


i € [1, 2], 0; E; F^; F; A F ipi A p 2 true 
0;E;F^;F; A F pi true 

i e [1,2],0;E;F^;F; A F pi true 


AE 


VI 


VE 


0; E; F^; F; A F (pi V 9 P 2 true 

0;E;F^;F; A F (pi V (p 2 true 
0;E;F^;F; A,(pi,F' F (p true 
0;E;F^;F; A,(P 2 ,F' F (p true 
0;E;F^;F; A,F' F (p true 

0;E;F^,a; : riFiA F p true 

— r ^- - -VI 

0; E; r^; F; A h true 

0; E; F^; F; A F Va::T.(p true F^ F t : r 
0; E; F”^; F; A F p\t/x] true 

0;E;F^;F; A F p[t/x\ true 

0; E; F^; F; A F 3x'.T.p true 

0; E; F^; F; A F 3x'.T.p true 
0; E; F”^, a:T; F; A, (p[a/a;] F (p^ true a ^ fv((p^) 


VE 


31 


0;E;F^;F; A F p true 


3E 


ui, M 2 , *; 0; E; F^; •; A F c : p 
0; E; F^; •; A F start(/, c, u) true 
0;EFF^,Fok 

- f - - - - -;-Honest 

0;E;F ;F; A F Vtt :b.(M >u) => p[u,u , I/ui,U 2 ,i] true 

0;E;F^;F; Ai F (p true 

0; E; F^; F; Ai, p, A 2 F p' true 

- T --Cut 

0;E;F ;F;Ai,A 2 F(p true 

0;E;F^,FFAok (p € A 

- f - INIT 

0; E; r^; F; A h ip true 

0 ;E;F^;F;Ai,.p,A 2 F ■ ^ 

0; E; F^; F; Ai, A 2 I- 'P true 

0;E;F^;F;A F -xp true 

-r- —iP. 


0;E;F^;F;A, 


p F 


0; E; F^; F; A F (pi true 0; E; F^; F; A F (p 2 true 
0; E; F^; F; A F (pi A (p 2 true 


AI 


Typing rules for computations We summarize the typing rules 
for computations in Figures [9] and [TO] 

E. Semantics 

Semantics for invariant properties Next we define a logical rela¬ 
tion indexed only by an invariant property Ub-Ue.i.p. 

7?.V/jvv'[ui,-Ue.i.(p]r;ii = {(fc,nf) | nf / Ax.e, AA.e, comp(c)} 
U{(fc, COmp(c)) I (fc,c) € 7?.C/iVv|u6.Ue.i.(p]r;u} 

U{(fc, Xx.e) I Vj, u ,j < k,u >u 

(y, e') € 1Z£imlub-Ue.i.p'\r-,u' 

=> {j,e[e'/x\) e TZ£mv\ub.Ue.i.p\T-,u'} 

U {(fc, A:r.e) | Vj, j < k => (j, e) G TZ£mvlub.Ui,.i.plr-,u} 

TZ£lNvlUb-Ue.i.pjT;u = 

{{k, e) |V 0 < m < A:, e —e' ^ 

=> (n - m, e') G 'R.ViNvlub.Ue.i.pjT-,u} 

TZCiNvlub-Ue-i.pjT-.u = {{k,c) I 
\/ub,Ue, i,u < Ub < UE,\sty = [ub,UE, t/ui,U2,i], 
jb is the length of the trace from time us to the end of T, 
y'e is the length of the trace from time us to the end of T 
k>jb> je, 

the configuration at time us is —^ ab t> ■ ■ ■ , (t; x.c' w K\c) ■ ■ ■ 
between ub and ue (inclusive), the stack of thread i always 
contains prefix x.c'y.K 
=^T\=e (p}n 

{{k, c) I Vus, Ue, b,u <ub < ue, 
let 7 = [ub, Ue, t/ui, U2, i], 

jb is the length of the trace from time us to the end of T 
je is the length of the trace from time us to the end of T 

k>jb> je, 

the configuration at time ui is —^ ab o ■ ■ ■ , {t; x.c' :: AT; c) ■ • ■ 
the configuration at time ue is (Te > • • • c'[e'/x\) ■ ■ ■ 

between ub and us, the stack of thread i always contains x.c'::K 
(ie,e') G TZ£mvlub.Ue.i.plr-,UE and T Fg p\ff jxff 




















Fixpoint 


u:b;0;E;r^;r;AI-QC:r; 

Fi = y :T,f : Tly:r.comp{ui.U3.i.{x:Ti.(p, ip')) 

Ui : b, U2 : b, i : b; 0 ; E; r^; F; A, u < Ml < M2 F po silent 

M2, M3, i; 0 ; E; F , mi : b, m : b; F, Fi; A, M2 < M3, tpo c ■. X’.ri.ipi 
M2,M3,i;0;E;F^;Mi : b, M : b;F,Fi; A,M2 < M3, (/Jq \-q c-.<fi2 
0 ; E; F^, Ml : b, M : b, M2 : b, M3 : b, i : b; F, Fi, a; : Ti; A h {ipo A ipi) (p true 

0 ; E; F^, Ml : b, M2 : b, M3 : b, i : b, M : b; F, Fi; A h (ipo A V92 => p') true 

0 ; E; F^, Ml : b, M3 : b, i : b, m : b; F, t/ : r; A h ipo[ui/u2\ => p true 
0; E; F^, M : b; F h ny:T.Mi.M3.i.(a;:ri.93, ip') ok fv(f ix(/( 2 /).c)) G dom(r) 
m;0;E;F'^;F; A hg fix(/(?/).c) : ny:r.Mi .M3.i.(2;:ri.(/7, (/?') 


Partial correctness typing 


H;0;E;F^;F;AhQC:77 


Ml : b; 0; E; F^, M 2 : b, i : b; F; A Fq c : Ily:T.Ui,.Ue.j.{x:T'.p, p) Mi : b; 0; E; F^, M 2 : b, i : b; F; A Fg e : r 
fv(c e) C dom(F)_let 7 = [mi, M 2 , t/Mb, m^, j] 0;E;F^,F F Mi.M 2 i.((j:T'.i/?) 7 [e/y],/ 7 [e/y]) ok 

Ml : b,M 2 : b,i : b;0;E;F^;F; A Fg c e : ((a;:T' 7 .v 97 )[e/y], (p' 7 [e/t/]) 


Ml : b; 0; E; F^, M2 : b, i : b; F; A Fg a :: kct{ub.u^.j.{x:T.pi, P 2 )) Mi : b, M2 : b, i : b; 0; E; F^; F; A F (p silent 
fv(o) G dom(F) 0;E;F'^;F F ui.U 2 .i.{x:T.pi[ui,U 2 ,i/ub,Ui„j],p 2 [ui,U 2 ,i/ub,Ue,j] A p) ok 

Ml : b,M2 :h,i : b;0;E;F^;F; A Fg act(a) : {x:r.pi[ui,U 2 ,i/ub,Ue, j], p 2 [ui,U 2 ,i/ub,Ue, j] A p) 


Mo : b, Ml : b, i : b; 0 ; E; F^, M3 : b; F; A, Mq < Mi \- Pq silent 

Ml : b; 0 ; E; F , mq : b, M3 : b, i : b; F; A, po Fg ei : comp(M6, Ue, j.{x-.T.pi, p'-i)) 

let 7 = [ui,U2,i/ub,Ui,,j] 

U2 : b, Ms : b, i : b; 0 ; E; F^, Mo : b, Mi : b; F, a; : T7; A, M2 < M3, ipo, Pi') Fg C2 : y.r .p2 
0 ; E; F^, Mo : b, M3 : b, i : b; F, Mi:b, M2:b, X'.ry, y : r'; A F {po A piy A P2) p true 
fv(lete(ei, at.ca)) C dom(F) 0 ; E; F^, mo : b, M3 : b, i : b; F, y : F 73 ok 

Mo : b, M3 : b, i : b; 0 ; E; F^; F; A Fg lete(ei, 33.02) : V-x'.p 


Mo : b. Ml :h,i : b; 0 ; E; F^; M3 : b, F; A, Mo < Mi F po silent 

Ml ; b, M2 :h,i : b; 0 ; E; F^, Mo ; b, M3 ; b; F; A, mi < M2, po Fg ci : X'.r.pi 

M2 ; b, M3 :h,i: b; 0 ; E; F^, Mo ; b, mi ; b; F, a: : r; A, M2 < M3, po, p\ Fg C2 : y.r'.p2 

0 ; E; F^, Mi:b, M2:b, Mo : b, M3 : b, i : b; F, a::r, y : r'; A F (ipo A i/Ji A P2) ^ p true 

0 ; E; F^, Mo : b, M3 : b, i : b; F, y : F ip ok fv(letc(ci, 33.02)) C dom(F) 
-J-- - - SeqC 

MO : b, M3 ; b, i : b; 0 ; E; F ; F; A Fg letc(oi, 33.02) : y.r .p 

M2 : b; 0 ; E; F^, Ml : b, i ; b; F; A Fg e : r Mi ; b, M2 ; b, i ; b; 0 ; E; F^; F; A F ip silent fv(e) C dom(F) 

Ml : b, M2 ; b, i : b; 0 ; E; F^; F; A Fg ret(e) : a 3 :r.((a 3 = e) A ip) 


Mo : b. Ml : b, i : b; 0 ; E; F^, M2 : b; F; A, Mo < Mi F (po silent 

MO : b; 0; E; F^, M 2 : h,i : b; F; A Fg e : b mi : b, M 2 : b, i : b; 0; E; F^, mo : b; F; A, Mi < M 2 , (po, (eval e tt) Fg ci : X'.r.pi 

Ml : b, M2 : b, i : b; 0; E; F^, Mo : b; F; A, Mi < M2, po, (eval off) Fg 02 : x:T.p2 

0; E; F^, Mo : b, M 2 : b, i : b; F, mi : b, 03 : r; A F {po A pi) => p where i G [1, 2] 

0 ; E; F^, Mo : b, M2 : b, i : b; F, 03 : r F (p ok fv(e) U fv(oi) U fv(o2) C dom(F) 

Mo : b, M2 : b, i : b; 0 ; E; F^; F; A Fg if e then Ci else 02 : X'.T.p 


If 


Figure 9. Computation typing rules (1) 












Invariant typing 


H;e;E;r^;r;AhQC:77 


0; E; , Uo : b, M 3 : b, i : b; F; A h (p ok 

Mo : b, Ml : b, i : b; 0 ; E; F^, M3 : b; F; A, Mq < Mi h 1^0 silent Mq : b, M3 : b, i : b; 0 ; E; F^; F; A, Mq < M3 F ipo silent 

Ml : b; 0 ;E;F ,Mo : b, M3 : b, i : b;F; A,(/Jo Fq ei : comp(Mb, Me, j.(a;;r.(^i, (^s'l)) 

M2 : b, M3 : b, i : b; 0; E; F'^, Mo : b; F; A, Mi : b, a: : r; Mi < M2 < U 3 ,ipo, ifii[ui,U2,i/ub, Me, j] Fq C2 : ifi2 

0; E; F^, Mo : b, M 3 : b, i : b; F; A F (po => (/5 true 

0 ;E;F^,mo : b,M3 : b,i : b;F,Mi:b; A F (po A ipi [mi, M3, “e, j] ^ <p true 

0 ;E;F^,mo : b,M3 : b,i : b; F, Mi:b, M2:b, xir; A F (tpo A ipi[ui,U2,i/ub,Ue,j] A ifi2) => (p true 

fv(lete(ei, X.C2)) C dom(F) 

Mo : b,M3 : b,i : b; 0 ;E;F^;F; A Fq lete(ei, X.C2) : ip 


SeqEI 


0 ; E; F^, Mo : b, M3 : h,i : b; F; A F <p ok 

Mo : b. Ml : b, i : b; 0 ; E; F^, M3 : b; F; A, Mo < Mi F <po silent mq : b, M3 : b, i : b; 0 ; E; F^; F; A, mq < M3 F (po silent 

Ml : b, M2 : b, i : b; 0 ;E;F^,Mo : b, M3 : b;F; A,mi < M2,<po Fq ci : x:r.(pi 

Ml : b, M3 : b, i : b; 0 ; E; F^; F; A, Mo : b, mi < M3,<po Fq Ci : ip'i 

M2 : b, M3 : b, i : b; 0 ; E; F^; F; A, mo : b, mi : b, x : r, M2 < M3,<po,‘pi Fq C2 : <P2 

0 ; E; F^, Mo : b, M3 : b, i : b; F; A F (po => (p true 

0 ; E; F^, Mo : b, M3 : b, i : b; F, Mi:b; A F (ipo A <pi) => <p true 

0 ; E; F^, Mo : b, M3 : b, i : b; F, Mi:b, M2:b, x:r; A F ((po A <pi A (P2) => (p true fv(letc(ci, X.C2)) C dom(F) 
- jr - SeqCI 

Mo : b, M3 : b, i ; b; 0 ; E; F ; F; A Fq letc(ci, X.C2) : ip 


fv(e) C dom(F) mi : b, M 2 : b, i : b; 0; E; F^; F; A F ip silent 
- f - RetI 

Ml : b, M 2 : b, i : b; 0; E; F ; F; A Fq ret(e) : (p 

0; E; F^, Mo : b, M 2 : b, i : b; F; A Fq e : b 

Mo : b, M2 : b, i : b; 0; E; F^; F; a, Ml < M2 F ipo silent Mo : b, mi : b, i : b; 0; E; F^, M2 : b; F; A, Mo < Mi F (po silent 

Ml : b, M2 : b, i : b; 0; E; F'^, Mo : b; F; A, Mi < M2, ipoi (e^al ett) Fq ci : ipi 

Ml : b, M 2 : b, i : b; 0; E; F'^,mo : b;F; A,mi < M 2 , ipoi (eval eff) Fq C 2 : (p 2 0; E; F^, mo : b, M 2 : b, i : b; F; A F (po ^ (p 

0; E; F^, Mo : b, M 2 : b, i : b; F, mi : b; A F ((po A <pi) => <p 0; E; F^, Mo : b, M 2 : b, i : b; F, Mi : b; A F ((po A <p2) => <p 

0; E; F^, Mo : b, M 2 : b, i : b; F; A F (p ok fv(e) U fv(ci) U fv(c 2 ) C dom(F) 

Mo : b, M 2 : b, i : b; 0; E; F^; F; A Fq if e then Ci else C 2 : (p 

Ml : b, M 2 : b, i : b; 0; E; F^; F; A, <pi Fq c : <p 2 

- jr - IMPI 

Ml : b, M 2 : b, i : b; 0; E; F ; F; A Fq c : ipi => (p 2 

Misc 

k e [1,2] Mi,M2,i;0;E;F^;F; A Fq c: ( 771 ,?? 2 ) 

- j -Pair 

Mi,M2,i;0;E;F ;F; A Fq c : r]k 

Ml, M 2 , i; 0; E; F^; F; A Fq c : x:r.(pi mi, M2, i; 0; E; F^; F; A Fq c : ^2 
-- Proj 

Mi,M 2 ,i; 0; E;F ; F; A Fq c : (x:r.<pi, (P 2 ) 


0;E;F 


L 


F; Ai F (p true 0; E; F^; F; Ai, (p, A 2 Fq c : 77 

H;0;E;F'^;F;Ai,A2 Fq c : r? 


CutC 


Figure 10. Computation typing (2) 












Mo : b, U2 : b, i : b; 0 ; E; F^, M3 : b; ■; A, Mq < Mi < M2 F (/Jq silent 

Ml : b; 0 ; E; F^, Mo : b, M2 : b, M3 : b, i : b; •; ipo hgi ei : comp(M6, Ue, j-{ x-.t 

let7 = [Ml,M2,'j/'“6,t‘e, j] 

M 2 ,M 3 ,i; 0 ;E;F^,Mo : b, mi : b;-; A,M2 < M 3 ,<^o,‘Pi 7 Fq2 C2 : V-t'. ip 2 

0 ; E; F^, Mo : b, M3 : b, i : b; F, Mi:b, M2:b, y : r'; A h (ipo A ipi'f A (^2) = 7 > (p true 

0 ; E; F^, Mo : b, M3 : b, i : b,r, y : r' h tp ok 

Mo : b, M3 : b, i : b; 0 ; E; F^; F; A |-q2 (ei; C2) : y-r'.<p 


SeqEComp 


Mo ; b, Ml ; b, t : b; 0 ; E; F^, M3 : b; ■; A, Mo < Mi h ipo silent 

Ml ; b, M2 ; b, t : b; 0 ; E; F^, Mo : b, M3 ; b; •; ipo Fq ci : X'.r.pjx 

U 2 : b, M3 : b, i : b; 0 ; E; F^; Mo : b, Mi : b, •; A, M2 < M3, (po, ‘Pi Fq 2 C2 : y.T .ip 2 

0 ; E; F^; mo : b, M3 : b, i : b; •, Mi:b, M2:b, y : t'; A\- {ipo A ipi A (^2) ip true 

0 ; E; F^; Mo : b, M3 ; b, t : b, F, y : t' \- ip ok 

Mo : b, M3 : b, i : b; 0; E; F^; F; A Fq2 (ci; C 2 ) : y.r .ip 


SeqCComp 


0; E; F^, Mo : b, M3 : b, i : b; F; A F 1/9 ok mo : b, M2 : b, i : b; 0; E; F^, M3 : b; ■; A, Mo < Mi < M2 F ipo silent 
Mo ; b, M3 :h,i: b; 0; E; F^; •; A, Mo < M3 F ipo silent 

Ml : b; 0; E; F^, MO : b, M 2 : b, M 3 : b, i : b; •; ipo Fq ei : comp(M6, Ue, j.{x-.T.'pi, ip'i)) 

U2 : b, M3 :h,i: b; 0; E; F^, Mo : b; •; A, Mi : b; Mi < M2 < M3, ipo, </ 9 i [mi, M2, tte, j] Fq C2 : (p2 
0; E; F^, Mo : b, M3 : b, i : b; F; A F i/pq i/p true 

0;E;F^,mo : b, M 3 : b, i : b;F,Mi:b; A F i/Po A i/9i [mi, M 3 , i/m^. Me, j] =7 (p true 

0; E; F^,Mo : b, M 3 :h,i: b; F, Mi:b, M 2 :b; A F (i/pq A i/pi[mi,M 2 , i/M6,Me, j] A (/P 2 ) => i/p true 

-j-- SeqEIComp 

Mo : b, M 3 : b, i : b; 0; E; F ; F; A Fq (ei; C 2 ) : ip 


0; E; F^, Mo ; b, M3 ; b, i : b; F; A F i/p ok mo : b, mi : b, i : b; 0; E; F^, M3 : b; ■; A, mo < mi F ipo silent 
Mo : b, M3 : b, i : b; 0; E; F^; •; A, Mo < M3 F i^o silent 

Ml : b, M2 : b, i : b; 0; E; F , Mo : b, M3 : b; •; ipo Fq ci : X'.r.ipi 

Ml : b, M3 : b, i : b; 0; E; F^; •; A, Mo : b. Mi < M3, ipo Fq Ci : ip[ 

M2 : b, M3 : b, i ; b; 0 ; E; F^; •; A, Mo : b. Mi : b, 2; : r, M2 < M3, ipo, ipi Fq C2 : ip2 

0 ; E; F^, Mo : b, M3 : b, i : b; F; A F i/Pq => i/p true 

0 ; E; F^, Mo : b, M3 : b, i : b; F, Mi:b; A F (i^o A ipi) => ip true 

0 ; E; F^, Mo : b, M3 : b, i : b; F, Mi:b, M2:b; A F (ipo A Wi A 1P2) => ip true 

-- SeqCIComp 

Mo : b, M3 : b, i : b; 0 ; E; F ;F; A Fq (ci;C2) : ip 


Figure 11. Sequential composition 


TZJ-iNv\ub-Uf,.i.ip\-r-,u = 

{{k,c) I Ve, {k,e) G 7^£:/Jvp[M^,.Me.^.^/p]r;u =;> 

{k, c e) G TZCiNvlub.Ue.i.ipjT;u} 

Semantics for invariant indexed types Figure [m summaries the 
interpretation of types indexed by the invariant property Ub-Ue-i.ip. 
The invariant property is used to constrain the behavior of expres¬ 
sions that evaluate to normal forms that do not agree with their 
types. 

7^C(Mi,.Me.^.l/Pl)|a;:T.(/9]e;r;ul.u2.i = | 

jb is the length of the trace from time mi to the end of T 
je is the length of the trace from time M2 to the end of T 

k>jb> je, 

the configuration at time mi is ^4- Cb l> • • • , (t; x.c' :: K-,c)--- 
the configuration at time M 2 is Ce > • • • , (t; K-, c'[e'/x]} ■ ■ ■ 
between mi and M2, the stack of thread i always contains x.c'y.K 
=7 {je,e') G 7^£(M6.Me.i.l/Pl)[r]9;r;U2 
and T 1= ip[e'/x]} 

7^C(_)Il,9]e;r;ul,«2,i = {(^>c) | 
jb is the length of the trace from time mi to the end of T, 


y'e is the length of the trace from time M2 to the end of T 

k>jb> je, 

the configuration at time mi is ^ 4 - ct;, > • • • , (t; x.c! :: K\c) ■ ■ 
between mi and M2 (inclusive), the stack of thread i always 
contains prefix x.c'y.K 

^T\=y} 

TZT{ub.Ue.i.ipi)lTlx:r.ui.U2.i.(y:r'.ip, (p')]e;r;u = 

{{k,c) I Ve, Vm', ub,ue, l,u < u' < ub < ue, 
let 7 = [MB,MB,t/Ml,M2,i] 

(fc,e) G TZ£{Ub.Ue.i.ipi)lT'yjg.r;u' 

{k,ce) G TZC{ub.Ue.i.ipi)l{y.r'y.ip-y)[e/x]}g.,TiuB,UE,i. 

n7^C()Il/p'7[e/a:]]fl;r;uB.uE..} 

7?.7l(M6.Me.i.V9)[Act(Ml.M2.t.(a::r.V9l, (/P2))](?;r;u = 

{(fc, a) I Vmb, ue,l,u < Ub < ue, 
let 7 = [ms , Mb , t/Mi , M2 , i] 

(fc,act(a)) G {TZC{ub.Ue.i.ip)lx-.r'y.(pi'y]e-,T-,u-,v.B,v.E,i. 
i'!l^X!(ub.Ue ■Ml/ 9 )|l^ 27 ll^i 7 ^i^i^BT^lpii-)} 

TZA{ub.Uf,.i.ip)\nx-.r.Q\e.r\u = 

{{k,a) I Ve,VM', ,u' >u, {k,e) G TZ£{ub.Ue.i.ip)lTle.f,u' 







7 lV(M 6 -We.*.(p)[any]o;r;u = {(fc,nf) | fc G N} 

nV{ub.Ue.i.^)lX]e-,r-,u =e{x) 

TZV{ub.Ue.i.ip)lhje-,T-,u = {(fc, e) | (fc,e) G 'JZVmvlub.Ue.i.ipje-r-,u} 

7^V(M6.^^e.^.(p)I^a::n■T2]e;r;ll = {{k,Xx.e) \ \tj < k,W,u' > u,\/e', (j, e') G 7^£■(M6■Me■^•^/5)[n]e;r;u' 

=> {j,ei[e'/x\) G TZS{ub.u^.i.ip)lT2[e' /x]\e-T-,-a'}^ 

{(fc, nf) I nf / \x.e (fc,nf) G TZ£mvlub.Ue.i.if>\r-u} 
7LV{ub.Ue.i.(p)\iX.T\e-,T-,u = {(fc, AX) | Vj < fc,VC G Type => {j,e') G TZ£{ub.Ue.i.ip)lT]g[x^c]-,T-,u}'J 

{(fc,nf) I nf / AX.e => (fc,nf) G ^f/ivv|u6-Ue-j.y5lr;u} 
TZV{ub.Ue.i.(p)lcomp{ui.U2.i.{x-.T.ipi,(p2))je-,T-,n = 

{(fc, comp(c)) I 'iuB,UE, l,u<ub < Mb, let 7 = [msjMb, t/Mi,M2, i] 

(fc, c) G 'llC{ub.Ue.i.ip)lx\T^.ipi^\g-r-,uB,V.E,I. n 7^C(_)[v527]0;r;uB.l^^3.l}U 
{(fc,nf) I nf / comp(c) =7 (fc,nf) G 7L£iNv\ui.U2.i.ip\r-,u} 

7i£{ub.Ue.i.if)lT\e.r-,u = {(fc, e) | Vj < m,e e! ^=7 (fc - m, e') G 7?.V(M6.Me.i.v5)[r]9;r;u} 


Figure 12. Semantics for inv-indexed types 


=> (fc,a e) G 7l7l(M6.Me.i.v9)|a[e/a;]]e;r;u'} 

7?.7l(M6.Me.i.V3)[VX.Q]e;r;u = 

{(fc, a) I Vj < fc, VC G Type 

=> {j,a ■) G 7lVl(M6.Mei.V9)He[XH->C];r;ii} 

Formula semantics 

|any] = {e | e is an expression} 

[b] = {e I e 6m} 

[na;:Ti.r 2 ] = {Aa;.e | Ve',e' G |ri] => ei[e73;] £ 1^2]} 


T\= Pe 

iff 

PeeeiT) 

T 1= start(7, c, U) 

iff 

thread I has c as the active 



computation with an empty stack 
at time U on T 

T 1= 'ix’.T.p 

iff 

Ve, e G [r] implies T N ple/x] 

T 1= 3x\T.ip 

iff 

3e, e G [r] and T 1= p[e/x\ 


F. Lemmas 

Lemma 5 (TZmv is downward-closure). 

1. If{k,c) G 7?.V/ivv|$]r;u thenMj<k, {j,c) G TZVinvI^\t-,u 

2. If {k,c) G 7?.f/jw|$ls,r;u then\/j<k, {j,c) G 7?.£l/wv[$]r;,* 

3. If {k,c) G 7?.C/A,v|‘E>lr;u then\/j<k, {j,c) G TJ.C/ivvI'FJr;,! 
Proof (sketch): By examining the definition of the relations. □ 

Lemma 6 {TZmv is closed under delay). 

1. If{k,e) G then\tu'>u, (fc, e) G 7?.V/wv|$lr;u' 

2. If{k,e) G thenMu'yu, (fc,e) G 7^£/]vv[‘F]r;u' 

T If{k,e) G 7?.C;iw[['l>]r;u thenVu'>u, (fc, e) G 7?.C;jw|'I>]r;u' 
Proof (sketch): By examining the definitions. □ 

Lemma 7 (Indexed types are confined), confine (r) (ub-Ue.i.ip) 
implies 

1. TZV(Ub.Ue.i.(p)lTjg-r;u = TZVlNvlub-Ue-i.ipjg-^riu- 

2. TZ£{ub.Ue.i.ip)lTjg-r\u = TZ£iNvlub.Ue.i.pjr-,u. 

3. for all n, c, (yuB,UE,I s.l. u < ub < ue, (n,c) G 
TZC(Ub.Ue.i.(p)lT.ip[UB , UE,I/Ub,Ue, i]\e-,T-,u b ,u e ,I 

n TiC(ub.Ue.i.p)lip[uB,UE,I/ub, Me, i]]e ;7 ~;ub ,/) 

iff{n,c) G 7?.C/Jw[M(,.Me.i.<;9]r;u 

Proof. By induction on r. 2 uses 1 directly, 1 uses 2 when r is 
smaller, 3 uses 2 directly, and 1 uses 3 when r is smaller. 

Proof of 1. 

case: r = 6. Follows directly from the definitions 
case: r = Ux : ri.r 2 


By assumptions 

confine (ri) (ub-U^.i.ip) and confine (ri) (ub-Ue.i.p) ( 1 ) 
Assume 

(n,nf) G 7?.V(Mi,.Me.i.</3)|n2; : ri.r 2 ]e;r;,j (2) 

To show: (n,nf) G TZVmvlub.Ue.i.pjT-.u 

We first consider the case when nf = Aa;.ei 

Given 0 < j < n, u' > u (j, e') G TZ£mvlub.Ue.i.plr-,u' 

By I.H. on ri 

(j, e') G TZ£{Ub.Ue.i.ip)lTllg.r-,n' 

By ( 2 ) 

(y, ei[e73;]) £ TZ£{ub.Ue.i.(p)\T2\e'/xWe-r-y (3) 

By I.H. on T 2 and (3) 

(y, ei[e7»]) £ TZ£iNv\ub.Ue.i.ip\T-y (4) 

By (4) 

(n, Ax.ei) G TZVimlub.Ue.i.ip\T-,u 
Next we consider the case where nf = AX.ei or comp(c) 

this follows from the definition directly 
Proofs for the other direction is similar 

case: r = comp(Mi,.Me.i.(a;:r.y2, p)) 

By assumption 

confine (r) (ub-Ue.i.p) (1) 

Assume 

(n, nf) G 7?.V(Mi,.Me.i.V3)|comp(Mi,.Me.i.(2;:r.:/3, (yj))]e;r;u (2) 
To show (n,nf) G 7?.V/A,v|u6.Me.i.V3]r;u 

We show the case when nf = comp(c), the other cases are trivial 
By definitions, Vmb, Mb, t, M < Ms < mb, 
let 7 = [ms ,ue, b/ub,Ue,i] 

(n, c) £TZC{ub.Ue.i.(p)lx:T'y.(pi'yjg.riuB,UE,i. 

r(TlC(f)lp2'y\B-T-,uB,uE,L (3) 

By I.H. and (3) 

(n, c) G 7i£mvlub.Ue.i.>p\T-,u (4) 

By (4) 

(n, nf) G 7 ?.V/iVv|u 6 .Me.i.V 5 ]r;u (5) 

The proof of the other direction is similar 

3 is proven straightforwardly by expanding the definitions of the 

two relations. 

□ 

Lemma 8 (Invariant confinement). 

ifi is composable, and thread l is silent between time u b and u e 

implies T N ^^[mb, mb, ilub,Ue, i\ 

1. //'fa(e) = 0, fv(e) G dom( 7 ), (n, 7 ) G TZ£mvlub.Ue.i.(p}T;v. 
then (n, 67 ) G 7i£mv\ub.Ue.i.p\T-,u 

2. //fa(c) = 0, fv(c) G dom( 7 ), (n, 7 ) G TZ£iNv\ub.Ue.i.ip\T\v. 
then {n,cy) G IlCiNvlub.Ue.i.ipjT-.u 



3. lffa.{c) = 0, fv(fix/(a;).c) G dom( 7 ), 

(n, 7 ) G TZ£iNv\ub.Ue.i.ip\T-,u 

then {n,fixf{x).c"f) G 7ZTiMvlub-Ue-i.(pj-r;u 

Proof. By induction on the structure of the terms. 3 needs a sub¬ 
induction on n. We show a few key cases. 

Proof of 1. 

case: e = ei 62 


By I.H. 

(n, 617 ) G TZ£imlub.Ue.i.ip\T-,v, (1) 

(^, 627 ) G TZ£lNvlUb.Ue.i.'p\T-,u (2) 

Assume ( 6162)7 —>■"* nf -f* 

617 nfi ^ (3) 

We consider two cases: nf 1 = \x.e and nf 1 7 ^ Xx.e 
Subcase nfi = Xx.e'. 

By(l) 

(n - j, Xx.e) G 'JlVmvl'Ub.Ue.i.‘p}T-,u (4) 

By (2) and Lemma[3 

(n- j - 1, 627 ) G TZSmvlub.u^.i.ifijT-.u (5) 

By (4) and (5) 

{n — j — 1, 6 [ 627 /a;]) G TZSiNvlub.Ue.i.ipjnu ( 6 ) 

By (6) 

(n, ( 6162 ) 7 ) G TZ£mvlub.u^.i.<fijT-,u (7) 

Subcase nfi 7 ^ Xx.e: 

( 6162)7 nfi( 627 ) ^ ( 8 ) 

By definitions 

(n, ( 6162 ) 7 ) G 7i£iNvlub.Ue.i.<pjT-,u (9) 


Proof of 3 is by sub-induction on n 
case: n — 0 

The fixpoint couldn’t have returned. We only need to show that 
the trace satisfies ip. This is true because the thread executing 
the fixpoint is silent, 
case: n = k + 1 


Assume that {k, fix f{x).cj) G TZTjNvlub.Ue.i.pjr-.u (1) 
To show {k + 1, f ix/(a;).c 7 ) G TZTmvlub.Ue.i.tflnu 
V6, {k -b 1,6) G TZ£mvlub.Ue.i.(p}r;u 
To show (fc -b 1, c 6) G IZCmvlUb.Ue.i.plTlu 
By(l), 

(fc, A 2 .comp((f ix/(a:).c 7 ) 2 )) £ TZ£mvl'Ub.Ue.i.(pjT-,u (2) 
By I.H. on c and Lemma|5]and|^ 

(fc, c[A 2 .comp((f ix/(a;).C7) 2 )//][ 6 /a;]) 

G TZCmvl’Ub.Ue.i.pjTiu (3) 

Assume thread l executes the fixpoint, 
we consider the following time intervals: 

(i) Before the fixpoint is unrolled, 

(ii) the body of the fixpoint is evaluated, 

(iii) the fixpoint returns 61 
By t is silent in (i) 

(p holds in (i) (4) 

By (3) and p is composable, 
p holds in (ii) and (iii) 
and (je,6i) G TZ£mvlub.Ue.i.p}T-,uE 
where Ue is the time when 61 is returned 
and je is the length of T from Ue till the end of T (5) 
By (4) and (5) 

(fc-b 1, fix/(a;).C7) G 'llFmvlub.Ui,.i.p'\T-,u 

□ 


G. Properties of Interpretation of Types 

Lemma 9. Ift^f 7 ^ Ax .6 or KX.e or comp(c), then {n,nf) G 
7^V($)Ir]e;r;. 

Proof (sketch): Case on r. For all cases except when t = X, the 
conclusion follows from the definition of 7?.V/ivv[‘I’]T;ti- 

When T — X, 0{X) G Type. By the definition of Type, 
every C G Type contains all stuck terms that are not functions 
or suspended computations. □ 

Lemma 10 (Substitution). IfC — 7 ?.V(<I>)|ti]£); 7 -;u then 

1. nVi$)lr}eix^c];T;u=nV(<i>)lr[ri/X]ie;T;u 

2. n£(<^>)lrjg^x^c]■.T■.u=n£{^)lT[T,/X]}e■,T■,u 

3. ncmvjgix^c],T,B=ncmv[ri/X]je.T,s 

4. TZA{majeix^c]:T;u=nA{^)la[Ti/X]je:r;u 

Proof (sketch): By induction on the structure of r, 77 , 95 and a. □ 

Lemma 11 (Downward-closure). 

1. If(k,c) G nC{^)lv]e,T.sthenyj<k, {j,c) G nC{^)ln\e,T.s 

2. If ftv(r) C dom(0), VX G dom(0), 6(X) G Type, cmd 
(fc,e) G TZV{^)lT\g.^r-,u,thenyj<k, (j,e) G 7^V($)|r]e;r;u- 

3. If ftv(r) C dom(^), VX G dom(0), 9{X) G Type, and 
(fc,e) G Tl£{^)lT\e-,T-,u,then\/j<k, (j,e) G 'R£{^)lT\e.T-,u. 

Proof (sketch): By examining the definitions. Proofs of 3 uses 
proofs of 2 and 2 uses 1 . □ 

Lemma 12 (Substitutions are closed under index reduction). 

If ftv(r) C dom(0), VX G dom{0), 0{X) G Type, (n, 7 ) G 
7?.C7($)|r]0;r;ji. and j <n then (j, 7 ) G HQ{^)\r\e-,T-,u. 

Proof (sketch): By induction on the structure of T, using LemmafTTl 

□ 

Lemma 13 (Validity of types). If ftv{r) C dom(0) and^X G 

dom(0), 0{X) G Type, then TZV{^)\T\e-,T-,u € Type 

Proof (sketch): Bv Lemmasll II □ 

Lemma 14 (Closed under delay). 

1. If (fc,e) G TZV{^)\T\e-T-u and u' > u then (fc, e) G 
nV{^)lr\e;T;u'- 

2. If {k,e) G TZ£{^)\T\e-T-u and u' > u then (fc, 6 ) G 

7^£(<E>)[r],^r;.'• 

Proof (sketch): By examining the definitions and use Lemma 0 

□ 

Lemma 15 (Substitutions are closed under delay). If (n, 7 ) G 

7?-f/[r]s;r;u4? and u > u then (n, 7 ) G IZGlPle-r-.u'^- 

Proof (sketch): By induction on the structure of F, using LemmafTTl 

□ 

H. Soundness 

Theorem 16 (Soundness). Assume that's) A :: a £ E, Vifi, T, ri, u, (n. A) G 
'£i-A{^)\a\..^r-,v., then 

I. (a) • £ :: u : b; 0; E; F^; F; A F 4 . 6 : r, 

• W9 G 7^r[0], 

• V7^ e [F^l, 

• V(7, U', U' > U, fef 7 , = [U/u], 

• VT, Vn, 7 , (n; 7 ) G TZG{^)ir^u^^jg-,T;U', 

• T1= A77u7^ 

implies (n; 67 ) G Ti£{^)l'r^lu~i^}e-,T-,u' 

(b) • f :: ui, M 2 , i; 0; E; F^; F; A Fs c : 77 , 

• Vu, ub, ue, t s.t. u < ub < ue, let-yi = [ub,ue, t/ui ,U 2 ,i] 

• G 7^r[0]. 

. V7'^ G [F^l, 

. Vr. Vn, 7 , (n; 7 ) G 7^e($)|F7l7^]s;r;u, 

• T N A'y'yi'y^ 

implies (n; 07 ) G 7lC(<I>)[7777i7^]0;r;uB,*'E,‘ 


(c) 


(d) 


2 . (a) 


(b) 


(c) 


(d) 


• £ ::u:b;0;E;r^;r;AI-.j c ■. rjc, 

• ve G 7 ^rIel, 

• G [r^^], 

• W, U',U' > U, let-fu = [U/u], 

• VT, Vn, 7 , (n; 7 ) G 'TlQ{^)\£''yu^^le-,T-,u', 

• T\= A77„7^ 

implies {n;c'y) G 7^-^(4>)[?7c77ii7^1e;r;C/' 

• f :: u : b; 0 ; E; F^; F; A a : a, 

• ye G 7 ^r[ 0 l, 

• G [F^i, 

• yu, U',U' > U, let'yu = [U/u], 

• VT, Vn, 7, (n;7) G TC/($)|F7„7^]0.r;(7', 

• T\= A77„7^ 

/mp&i (n;a7) G TVlf®) lQ^77ii7^]s;r;C/' 

• F^; F; A h e : r, 

• ye G TT[0i, 

. V 7 ^ e [F^l, 

• yu, U',U' > U, ter 7 „ = [U/u], 

• VT, V-F, Vn, 7 , (n; 7 ) G TZg{^)irjuJ%-T-,u', 

• T 1= A77„7^ 

i'mpfe (n;e7) G T£:($)|r77„7^]9.r;(7' 

• £ :: m, U2, j; 0 ; E; F^; F; A h c : 7, 

• y u, ub, ue, bs.t.u < ub < ue, let'yi = [us, u_b, t/ui, 

• Ve G TTI 0 ], 

• V7^ G [F^l, 

• VT, V-F, Vn,7, (n;7) G Te(F)|F7i7-^]e;r;., 

• T N 

implies (n; 07 ) G TC($)|777i7^]e;r;iiB.UE,i 

• f :: n : b: 0; E; F^; F; A h c : 7 c, 

• ye G TTI01, 

• V7^ G [F^], 

• yu, U',U' > U, let'yu = [U/u], 

• VT, V-F, Vn, 7 , (n; 7 ) G TZg{^)irjuJ%-,T-,u', 

• T1= A 77 „ 7 ^ 

implies (n; C 7 ) G T.T($)[7c77»i7^1e;r;i7' 

• f :: n : b; 0 ; E; F^; F; A h a : a, 


case: Confine 

p is trace composable 
£' :: nt,, tic, i; 0; E; F^, m; F; A F p silent 
Mi,:b, ne:b, t:b h (/: ok fa(e) = 0 fv(e) C F 
confine (r) [uh-u^.i.p) confine (F) [uh-u^.i.p) 

u- 0; E; F^; F; A \-u^.ue.i.ip e : r 

By assumptions 

e G TTI0],V7^ G [F^], 

7 „ = U/u, U' >U,T^ A 77 „ 7 '^ 

and (n; 7 ) G Tig{ub.Ue.i.p)lT'yu'y^je-,T-,u', 

By LemmaQand (1) 

and (n; 7 ) G TZ£mvl^jT;U' 

By I.H. on £', given any t, ub, and ue, 

L is silent between ub and ue implies 
T N p[ub,Ue, o/ub,Ue, i] 

By (1) and (3) and Lemma[ 8 ] 

(n, ey) G TL£mvlub-u^.i.p'\r-,u' 

By (4) and Lemma|7] 

(n; 67 ) G TL£{ub.u^.i.p)lT^u'y^le-,T-,u' 

Proof of 2.(a). 
i] 

£' :: 0;E;F^,m,F h n ok 

u; 0; E; F^; F, a; : Ti; A h e : r 2 

-- E-Fun 

case: n; 0; E; F^; F; A h Aa:.e : na;:Ti.T 2 

By assumptions 

e G TT[0],V7^ G [F^], 

7 „ = U/u, U' >U,T^ A 77 „ 7 '^ 
and (n; 7 ) G TC/(<F)|F7,c7^]e;r;t/o 
Given j < k, u” > U', 

and (j,eo) G T£:(<F)[ri 77 „ 7 ^]e. 7 -;„" 

By Lemmafl^andfTS] 

{r,y) & 

By (2) and (3) 


Confine 


( 1 ) 

( 2 ) 

(3) 

( 4 ) 

( 5 ) 


( 1 ) 

( 2 ) 

( 3 ) 


(e) 


if) 


• ye G TTI01, 

• V7'^ G [F^], 

• yu, u', u' > u, let-f,, = [U/u], 

• VT, V-F, Vn, 7 , (n; 7 ) G Ta(-F)[F7„7-^le;r;t/', 

• T 1 = A 77 „ 7 ^ 

implies (n; ay) G TZA{^)\ayyu 7 ^]s;r;C/' 

• £ til, ti 2 , t; 0; E; F^; F; A h p silent, 

• y u, Ub, Ue, l s.t. u < ub < ue, 

• letyi = [tis,MB,;./tii,ti 2 ,t] 

• ye G TTI 0 ], 

• yy^ G [F^], 

• V$, VT, Vn, 7 , (n; 7 ) G Tg(F)|F7i7-^]e;r;., 

• jb is the length ofTfrom time ub to the end ofT, 

• je is the length ofT from time ue to the end ofT, 

• n>jb> jc 

• between time ub and time ue, thread l is silent 

• T 1 = A771 
implies T 1 = (95771) 

• £ :: 0;E;F^;F;A h p true, 

• ye G TT[0i, 

. yy^ G [F^], 

• VT, V-F, Vn,7,ti, (n;7) G ng{^)lVy%.,T-,u, 

• T 1 = Ay^y 
implies T 1= py^y 


Proof. By induction on the structure of £. 
Proof of l.(a). 


(i; 7 [* eo]) G TC/($)[(F, a; : n) 7 u 7 ^]e;r;u", ( 4 ) 

By I.H. on £' 

U, ey[x ^ eo]) G T£’(-F)[r 27 u 7 ^ 7 [a: eo]]e;r;^" (5) 

By ( 5 ) is derived based on assumption in ( 2 ) 

{n,\x.ey) G TV($)[(na;:ri.r2)77„7^]e.7-;i7' (6) 

By (6) 

{n,Xx.ey) G T£(-F)[(na;:Ti.r2)77„7^]e;r;t/' 

£1 :: u; 0 ; E; F^; F; A h ei : na::Ti.r2 

£2 :: ti; 0 ;E;F^;F; A h 62 : ri 

-42—;-LJ-E-App 

case: m; 0 ; E; F ; F; A I- ei €2 : 7-2 [e2 /x] 


By assumptions 


e G ttI 01,7’^ e [r^]. 


7„ = U/u, U' >U,T\= A77„7-^ 


and (n;7) G TZg{$)iryuy^lo-,T-,u' , 

(1) 

By I.H. on £2 


(n,e 27 ) F 7^f(F)|rl77„7'^]e.r;^7' 

(2) 

By I.H. on £i 


(n, 617) G Tf(-F)|(n2;:ri.r2)77u7^]0;r;(7' 

( 3 ) 


Assume (ei 62)7 -T/f nf 
By ( 3 ), 

(ei 62)7 -tj nfi(e27), 

and (n - m,nfi) G TV($)|(na;:Ti.r2)77„7^]e;r;i7' ( 4 ) 
We consider two cases: 
subcase 1: nf 1 = Xx.e'i 
By ( 4 ) 






(n-m-l,e'i[e27/»]) e 7 ^^:(<E>)[r277„7^[e27/»]]9;r;(7' ( 5 ) 
By ( 4 ) and ( 5 ) 

{n, (6162)7) G ($)[('r2[62/a;])77u7^1e;r;!7' (6) 

subcase 2: nf 1 7^ Aa;.6i 
By Lemma|^ 

(n - m,nfi(e 27 )) € 7^V($)|r277„7^[627/a:]]e;r;(7' (8) 
By (8) 

(n, (6162)7) G (4>)[('62[62/a;])77u7^]e;r;(/' ( 9 ) 

Proof of 2.(b) 
case: SeqC 

Si :: Uq, ui, *; 0; S; F^; U3, F; A, wq < ui h (po silent 
£2 ■■ ui,U2,i-, 0 ; E; F^, uo ; b, 113; F; A, ui < U2, ipo 

h Cl : X’.T.ipi 

£3 U2,U3,i\ 0 ; E; F^, uq, Mi; F, a; : r; A, M2 < M3, ipo, </^i 

h C2 : y-T .ip2 

£a :: 0; E; F^, Mi, M2, mq, M3, i; F, x-.t, y ■. t';A 
h (ipo A V3i A 1^2) =7 y> true 
0; E; F^, Mo, M3, i\V ,y t' \- y ok 
fv(letc(ci, *.62)) C dom(F) 


let 74 = 77^ [ub , Mb , t/Mo, Ms , i] [m^i , Um 2 /mi , M 2 ] [60 /a;], 
(im 2 , 5 “tMma[ 6 o/a;]) 

G 7^0('I')I(F,a::T)74)[Mm2,MB,t/M2,M3,i]]e;r;u™2 (12) 

By I.H. onfs, (11), (12) 

(im 2 ,C 27 [ 6 o/a:]) G 7^C($)[(y:T'.^/32)74]e;r;u,„2,^‘EM (13) 
By (14) 

(ie,6) G 7^£($)[r'74]e;r;l.E and 
T 1= 1 ^ 274 ( 6 / 1 /] (14) 

By I.H. on £a 

T N (7>0 A l/3l7eV52[6/t/])74 ^ <P74[6/y] (15) 

Tl=ip74[6/y] (16) 

By (14) (15) 

(n,lete(ci,a;.C2)7) G 7^C(<F)I(1/ : t' 

Proof of 2.(f) 
case: Honest 

£i :: Ml, M 2 , i; 0; E; F^; •; A h c : va 
£2 :: 0; E; F^; •; A h start(I, c, m) true 
0;E h F^,F ok 

0; E; F^; F; A h 'iu ■.'b.{u'>u) =7 ip[u, u , I /mi, M 2 , i] true 


Mo, Ms, i; 0; E; F^; F; A h letc(ci, a;.C 2 ) : y-T .y 
By assumption 

Pick time points m, mb, ue and thread id t, s.t. m < ub < ue, 
let 7 i = [ms, Mb, t/uo, M3, i] 

Pick any trace T, such that T 1= A 7 ^ 77 i 

eG7^r[0],7'^ G [F^], 

(n;7) G 7lC/(<&)IF7„7^]e;r;c/', (1) 

the length of the trace from time us to the end of T is jb 
the length of the trace from time mb to the end of T is je 
and n> jb> je (2) 

the configuration at time mb is 


By assumptions 

6) G7^r[01,7■^ G [F^l, 

( 1 ) 

To show T Ne (Vu .{u' > u) =7 (^[m, m', //mi, M2, *])77^ 

By I.H. on £2 

T \=e start(7, c, m) 7 ^ (2) 

By (2) 

at time wy^, thread starts to evaluate c on an empty stack, (3) 

Given any time U' > m 7 ^, and k such that the length of T 
after uy^ is no less than k 
By I.H. on £1 

(k,c) G 7^C($)[<P7[M7,^7', 77 /Ml, M2,*]le;r;u7.[/'.77 (4) 


- i- at t> ■ ■ ■ , (t; y.c :: 77; lete( 6 i, *. 62 ) 7 ) • ■ • 

the configuration at time mb is 
- ,{L-K-c[e/y])--- 

and between ub and ue (inclusive), the stack of thread t 
always contains prefix y.c :: K 
By fhe operational semantics 

exists MttiI, Urn2i S.t. ^Mm^^Mp 

the configuration at time m^i is 
21^ o-„,i > • • • , (t; x.C 2 y :: y.c :: 77; C17) • • •, 


the configuration at time Mm 2 is 
21^ (Jm 2 > • • • , (t; y.c :: 77; C 27 [ 6 o/a:]) ■ 


By (4) 

between time mb and Mmi, thread t is silent 
By(l), 

TN (A7^77i,(mo < Ml)7l[Mml/Ml]) 

By(l) 

(jml,7) G 7^0('I‘)IF7^[MB/M3][MB,Mml,t/Mo,Ml,i]]e;r;u, (7) 

By I.H. on £i and (5), (6) and (7) 

7" 1= v5o77^7i[wmi/Mi] (8) 

Let 72 = 77^7i[Mmi/Mi] 

By (I) and LemmafTSland u < Um\ 

G 775('l>)[F[MB,Mml,Mm2,MB,r/Mo,Ml,M2,M3, j]]e;r;umi (9) 

Let 73 = [m 

ml ; Mm2,t/M6,Me,i], 

By I.H. on 7:2 and (6), (8), (9) 

(n, C 17 ) G 7 ^C($)I(a;:T.(pl) 7273 ] 0 ;r;uml;um 2 M (10) 


because c starts from an empty stack, 
c couldn’t have returned at time 77', 

By (4) (5) and (1) and the definition of TIC, 
TNe yy^[uy,U',Iy/ui,U2,i] 

( 3 ) case: VI 

£' :: 0;E;F^,a; : r;F;A h y true 
0 ;E;F^;F;AI-Va;:r.v5true 
By assumptions 

e G TZTiej, G [F^], T N Ayy^ 
and (n-,y) €TZg{^)lTy%;T-,u, 

Given any e such that e G |r] 


(4) 

(5) 

( 6 ) 


7 [6/a;] G [F , x : r] 

By I.H. on £' 

T N v?7^[6/x]7 

By definitions 

T N {yx-.T.ip)y^y 


(5) 

(7) 


( 1 ) 

( 2 ) 

(3) 

□ 


By (10), 

let jm 2 be the length of the trace from time Mm 2 1° Ih® ^^*0 of T 

(jm 2 , 6 o) G T^f ('I>)[T7273]fl;r;um2 ^nd 

TN ¥’i7273[6o/x] (11) 

By LemmafT^and jm 2 < n 







I. Proof Sketch of State Integrity for Memoir 

We prove the correctness of a TPM based state continuity mecha¬ 
nism that closely follows Memoir 1^ . 

Terms, Actions and Predicates 

We first describe here the terms, actions and predicates that model 
the TPM functionality, cryptography and communication. 

TPM functionality. The TPM is modeled by the following ac¬ 
tions. The actions reset_pcr(p) and extend_pcr(p, h), respec¬ 
tively resets the state of the PCR p to some default value and ex¬ 
tends the value of p with the value h. The action verif y_pcr (p, h) 
checks is the state of PCR p is h, otherwise aborts. The action 
setNVRAMlocPerms(Moc,p) ties the permissions for NVRAM 
location Nloc to the current contents of the PCR p. The ac¬ 
tions NVRAMwrite (Moc, m) and NVRAMread(Moc) respectively 
write the message m and read from the NVRAM. The action 
ll_enter(e) starts a new late launch session with computation 
e called on some arguments. A late launch session is modeled by a 
new thread that runs e with no other thread running in parallel. The 
action ll_exit() exits from a late launch session. 

Cryptography. Symmetric encryption is modeled by the actions 
encrypt(fc, m) and decrypt(fc, c). Message authentication codes 
are modeled by mac(fc, m) and verif y_inac(fc, m,m'). Hash func¬ 
tions are modeled by the action hash(m). A message m encrypted 
by a key k is denoted by the term ENCkijn). Similarly, a MAC 
of a message m with key k is denotedy by MACkijn). A hash is 
represented by the term hash(m). The special term codeJiash(c) 
refers to the textual reification of the computation c. The term 
hash_chain{mi, m 2 , • • • , mk) is syntactic sugar for the iterated 
hash hash{hash{hash{mi)\\m 2 ■ ■ ■ \\mk) ■ ■ ■)■ Here, the term 
mi||m 2 represents the concatenation of messages. 

Communication. Communication is modeled by the send(m) 
receive0 action. By default, messages are not authenticated, so 
we drop the send and receive respectively do not have a recipient 
and sender argument. 

Flags. To state the overall state continuity property, we require 
three flags (service.init, service_try and service_invoke) 
which simply record the value of variables at a particular point. 

Figure [T^ contains our model for the Memoir system. The sus¬ 
pended computation runmodule is expected to run in a late launch 
session that models both the initialization and execution phase of 
Memoir. Lines 14-26 model the initialization phase and lines 28- 
40 model the execution phase. We only describe the initializa¬ 
tion phase here and the execution phase proceeds similarly. Dur¬ 
ing initialize the code for service is hashed into PCR 17. Sub¬ 
sequently, it is checked whether PCR 17 contains a hash chain 
starting with -1 and followed by a hash of the textual reifica¬ 
tion of runmodule. This ensures that a late launch session with 
runmodule was initiated. A symmetric key is then generated that 
acts as the encryption and MAC key for subsequent sessions of 
Memoir. Then, the permissions on Nloc, the NVRAM location al¬ 
located for the session is tied to the current value of PCR17. An ini¬ 
tial history summary and the symmetric key are then written to the 
NVRAM location, and then the value of PCR 17 is extended with a 
dummy value so that Nloc cannot be read unless a new runmodule 
session is started. The service is then initiated to generate a state of 
the service that is then encrypted and MACed along with the history 
summary and sent to the adversary for persistent storage. 

Predicates. Each action has a corresponding action predicate. All 
action predicates are listed in Figure [14] Every action predicate 
has an additional argument that corresponds to the thread that 
performed that action. The one exception is the action predicate 


LLEnter, for which the first argument j is the thread corresponding 
to the late launch session. 

Apart from action predicates, we have predicates which capture 
state. The predicate vaLpcr(p, h)@u states that at time u, the value 
of the PCRp is the hash h. The predicate NVPerms(Moc, p, h)@u 
states that the permissions on the NVRAM location Nloc are 
set to the value of the PCR p being the hash h. The predicate 
vaLNV(Moc, m)@M states that the NVRAM location Nloc con¬ 
tains the value m at time u. 

We have some predicates about the structure of terms. The 
predicate hash_prefix(hi, / 12 ) states that the hash chain h 2 can be 
obtained by extending h\ with additional hashes. 


Action 

Predicate 

reset_pcr(p) 

ResetPCR(i, p) 

extend_pcr(p, h) 

ExtendPCR(i, p, h) 

verify_pcr(p, h) 

VerifyPCR(*,p,h) 

setNVRAMlocPerms (Moc , p) 

SetNVPerms(2, Nloc,p) 

NVRAMwrite (Moc, m) 

NVWrite('i, Nloc, m) 

NVRAMread(moc) 

NVRead(i, Nloc,m) 

ll_enter(e) 

LLEnter(j', e) 

ll_exit() 

LLExit('i) 

encrypt(fc, m) 

Encrypt(2, k, m) 

decrypt(fc, m) 

Decrypt(2, k, m) 

ma.c{k, m) 

MAC(2, k, m) 

verify_mac(fc, m, m') 

verifyMAC(2, k, m, m') 

hash(fc, m) 

Hash(2, k, m) 

service_init(sfcey, 

serviceJnit(2, skey. 

service, state, Nloc) 

service, state, Nloc) 

SQTYice.trj(skey, 

service_try(2, skey. 

service, state, Nloc) 

service, state, Nloc) 

service_invoke(sfcey, 

serviceJnvoke(2, skey, 

service, state, state', Nloc) 

service, state, state', Nloc) 


Figure 14. Action Predicates 


Abbreviations and Definitions 

Figure [Tslsummarizes the abbreviations we use. 


Abbreviations 


{(f A 

= {f@u) A 

(c/7 V 

= (c/?@'u) V 



(^lp)@u 

= ^(f@u) 


= T 

_L@n 

= ± 

{'^x.p)@u 

{ 3 x.(p)@u 

{ip@u')‘^u 

= '^X. {f@u) 

= 3 x. {f@u) 

= f@u' 

(f 0 {ui, U2) 

= \fu. (ui < u < U2) => 

if 0 {ui,U2\ 

= Vw. {ui < u < U2) => {f@u) 

f 0 [ui,U 2 ) 

= Vw. {ui < li < 112) =>■ {f@u) 

f 0 [ui,U2] 

= \/u. {ui < li < U2) => 


Figure 15. Abbreviations 


1.1 Proof Overview 

The proof proceeds in four stages. Each step employs the rely- 
guarantee technique in the style of fH to prove a particular in¬ 
variant about executions of the system. At a high level, the four 
stages of the proof are as follows: 

1. PCR Protection: We show that the value of per 17 contains a 
certain measurement h only during late launch sessions running 
a session of Memoir. 







1 runmodule = 

2 let snapshot = 

3 \{state, summary, skey). 

4 enc-state <— act(encrypt(sfcei/, serwice.state)); 

5 aui/i •<— act(mac {skey, {enc.state, freshness Jag)); 

6 ret{enc-State, freshness Jag, auth) 

7 

8 let check.snapshot = 

9 \{{enc.state, freshness Jag, auth), request, history, skey). 

10 act(verify_mac {skey, {enc.state, freshness Jag), auth); 

11 freshness Jag' •<— act(hash {freshness Jag\\request)); 

12 ±f{freshnessJag = history V freshness Jag' = history, act(dec {skey, enc.state)), act {abort {))) 

13 

14 let initialize = 

15 \{service, Nloc). 

16 act(extend_pcr(pcrl7, codeJiash{service))); 

17 act(verify_pcr(pcrl7, hash.chain{ — l, codeJiash{runmodule), codeJiash{service)))); 

18 skey •<— act(gen_symkey()); 

19 let history.summary = 0 

20 act(setNVRAMlocPerms(Moc, per 17)); 

21 act(NVRAMwrite(Moc, {history.summary, skey)); 

22 act((extend_pcr(pcrl7,0)); 

23 service.state •<— {service ExtendPCR ResetPCR • • •) INIT; 

24 act(act(service_init(sfcej/, service, service.state, Nloc))); 

25 snap ^ snapshot{service.state, history.summary, skey); 

26 ret((), snap) 

27 

28 let execute = 

29 \{service, Nloc, snap, req). 

30 act(extend_pcr(pcrl7, code.hash{service))); 

31 {skey, history.summary) <— act(NVRAMread Nloc); 

32 service.state •<— check.snapshot{snap, request, history.summary, skey); 

33 new.summary 4— act(hash {history.summary\\req)); 

34 act(NVRAMwrite (Moc, {new.summary, skey)); 

35 act(extend_pcr(pcrl7,0)); 

36 act(service_try(sfcep, service, service.state, Nloc)); 

37 {new.state,resp) 4— {service ExtendPCR ResetPCR ■ ■ ■) {EXEC{service.state,req)); 

38 snap ^ snapshot{service.state, history.summary, skey); 

39 act(act(service_invoke(sfcep, service, service.state, new.state, Nloc))); 

40 ret {resp, snap) 

41 

42 X{service, Nloc, call). 

43 {resp, snap) <— (case call of 

44 INIT initialize{service, Nloc) 

45 I EXEC(snap, req) ^ execute{service, Nloc, snap, req)) 

46 act(send(response, snap)); 

47 act(ll_exit()) 


Figure 13. runmodule: A model of Memoir’s state isolation mechanism 


2. NVRAM Protection: We show that after the permissions on a 
location in the NVRAM has been set to h, then the permissions 
on that location are never changed. 

3. Key Secrecy: We show that if the key corresponding to the ser¬ 
vice is available to a thread, then it must have either generated 
it or read it from the NVRAM. 

4. History Summary-State Correspondence: We show that if on 
any two executions of the Memoir, if the history summaries are 
equal then the states must also be equal. 


Finally, from these, we prove the overall state continuity prop¬ 
erty for Memoir. 


Next, we sketch the proofs of each of the above stage. The 
proofs require axioms about the above predicates, which we state 
along with the stage the axioms are first required. 

1.1.1 PCR Protection. 

In Figure [T^ we list the definitions and model specific axioms 
we need. The predicate LL{ui,U2,e,j) states that thread j runs 
a late launch session for e between ui and U 2 . The predicate 
lnLLSess(M, e,j) states at time u, thread j runs a late launch ses¬ 
sion for e. The predicate lnSomeLLSess(u, e) states that at time u, 
some thread is running a late launch session for e. LLThread(j, e) 
states that j is a thread that runs a late launch session for e. 
PCRPrefix(p, s_/iasfi) states that the value contained in p is a 
hash prefix of s.hash. ExitsPCRProtected(i, u, s_/ias/i) states 



Definitions 


Axioms 


LL(ui ,U 2 ,e,j) = LLenter(e, j)@ui A -'LLexit(j) o , U 2 ) 

A LLexit(j)@ii 2 

lnLLSess(u, e, j) = 3ui.(ui < ti) A LLenter(e, 

A -iLLexitQ) o [jii, u) 
lnSomeLLSess(tt, e) = 3j.lnLLSess(«, e, j) 

LLThread(j, e) = Elu.LLenter(e, j)®n 

PCRPrefix(p, sMash) = 3h. vaLpcr(pcrl7, h) A hash_prefix(h, sjiash) 
ExitsPCRProtected(i, n, s_/iash) = LLexit(i)@M => 

^PCRPrefix(pcrl7, s_hash)®u 

LLChain(ft,, e) = hash_prefix(hash_chain(—1, codeJiash(e)), h) 


Axioms 


(LLExit) 'isJiash,U 2 ,e 

LLChain(s_has/i, e) =► 

vaLpcr(pcrl7, sJiash)@U2 
A -ilnSomeLLSess(M 2 , e) 

M3- 

LLThread(j;, e) 

A LLexit(j)@M 3 
A vaLpcr(pcrl7, h)@U 3 
A hash_prefix(h, sJiash) 

A Vm € (mi, M3). 

vaLpcr(pcrl7, s_/ia.s/i)@M => lnSomeLLSess(M, e) 
(PCRInit) vaLpcr(p, 0)@ — 00 

(LLHonest) LLEnter(i, e)@u => 3e'. start)— 00 , e e',i) 

Th next two axiom schemas holds for any action a(i, t) 

(LLActl) a{i,t)@u A lnSomeLLSess(M, e) => lnLLSess(M, e, i) 

(LLAct2) a(i,t)@M A LLThread(i, e) => lnLLSess(M, e, i) 

Figure 16. Definitions and Model-specific axioms about late 
launch 


(SetPerms) Setl\IVPerms(i, Nloc,p)@u A vaLpcr(p, h)@u 
=> NVPerms(7Vtoc, p, h)@u 
(GetPerms) (SetNVPerms(t, Nloc,p')@u\/ 

NVRead(j, Nloc,p')@u\/ 

N VWrite(i, Nloc, p')@u) 

A l\IVPerms(Af/oc, p, h)@M => vaLpcr(p,/ i)@m 
(NVPerms) NVPerms(AfZoc, p, h)@Mi A-'NVPerms(AZoc,p,/ x)@M 2 

A (mi < M 2 ) => 

3u3,j.p',h'. (mi < M3 < M2) A vaLpcr(p', Zi')@M3 
A SetNVPerms(y, Nloc,p')@U 3 
A {p ^ p' \/ h ^ h') 

A Vm 4 € (mi, M3). NVPerms(AZoc, p, Zi)@M 4 
Figure 17. Model-specific axioms about NVRAM 


Condition (1) follows (PCRInit) and -ihash_prefix(0, sJiash). 
Condition (3) follows directly from axiom (LLExit). To prove con¬ 
ditions (2) above, expanding out the definitions of ip, t and ip above, 
we need to show that 

Vi,M. (LLThread(i, rnnmodttZe) 

A Mu' < u. (vaLpcr(pcrl7, S-hash)@u 

lnSomeLLSess(M, rMnmoditZe)(u^)) 

=> ExitsPCRProtected(M, i) 


( 2 ) 


This can be rewritten as 


Mi. {LLThread{i, runmodule) 

A Mu. {Mu' < u. (vaLpcr(pcrl7, s_Zias/i)@M' 

=> InSomeLLSess)^', runmodtiZe)) ^ ' 
ExitsPCRProtected(M, i)) 


that whenever a late launch thread exists, the state of PCR 17 is 
not a prefix of sJiash. LLChain)/),, e) states that /i is a hash chain, 
which if contained in PCR 17, is evidence of a late launch session 
for e. 

Axiom (LLExit) states that whenever outside a late launch ses¬ 
sion, the value of PCR 17 is found to be a late launch chain sJiash, 
we can conclude, that some late launch session exited with the state 
of PCR 17 being a prefix of sJiash. (PCRInit) states that the value 
of any PCR begins at 0. (LLEnter) states that late launch threads 
for a computation e exclusively run e with some arguments e'. 
(LLActl) and (LLAct2) are axiom schemas that essentially state 
that no other threads are active during late launch sessions. 

Consider an arbitrary service s. Let sJiash = hash_chain( —1, 
code_hash(runmoduZe), codejiash(s)). We show that if the 
value of pcrl7 at time u is sJiash, then it must be the case that 
we are in a late launch session at time u. Formally, we show that. 


Choose an arbitrary thread i such that LLThread(i, runmodule). 
Therefore, we have by (LLHonest) that for some e', 
start{— 00 , runmodule e',i). To use rule HONEST to show (0, 
we need to show that runmodule satisfies the following invariant. 

h runmodule : 

{Muf, < u' < Me.(vaLpcr(pcrl7, s_/iasZi)@M' 

lnSomeLLSess(M', runmoduZe)) ^ ’ 
ExitsPCRProtected(M, i)) 

The key step in typing runmodule is to type the execution of s 
supplied by the adversary using the CONFINE rule. Essentially, we 
need to show that the service cannot exit with the per 17 containing 
a prefix of sJiash. The service is confined to the actions provided 
by the TPM and we can show that each of them has the following 
computational type cmp(M6, Ue, i.(x.pc, Pc)), where pc is: 


VM.vaLpcr(pcrl7, s_Ztas/i)@M => lnSomeLLSess(M, runmoduZe) 

( 1 ) 

To prove an invariant Mu>Ui. p{u), using rely guarantee rea¬ 
soning, it is sufficient to show for a choice of u) and i{i) that 

( 1 ) p{ui) 

(2) Mi, u. {i,{i) A Mu' < u. p{u')) => ip{u, i) 

{p{ui) A ->p{u 2 ) A (ui < U 2 )) => 

(3) 3i,M3. (ui < U 3 < U 2 ) A t(i) A -i'ip{u 3 ,i) A 

Vm 4 G (ui, M 3 ). p{u4,) 

We choose p,'il> and t as below: 

p{u) = vaLpcr(pcrl7, s_ZiasZi)@M => lnSomeLLSess(M, rMnmocZMZe) 
'4>{i,u) = ExitsPCRProtected(i, M, s_ZiasZi) 
t(i) = LLTh’read{i, runmodule) 


Pc = ->PCRPref\x{pcr 17, S-hash)@Ub => 

Mu G [ub,Us]. {\nLLSess{u, runmodule, i) (5) 
=> -iPCRPrefix(pcrl7, s_ZiasZi)@M) 

Therefore, we can give s the same type. We have now shown 
that by the end of service, the late launch session has either ter¬ 
minated or the value of pcrl7 is not a prefix of sJiash. Using 
(LLAct2), we can now show 0. 

1.1.2 NVRAM Protection. 

Figure [T3 contains axioms governing the behavior of NVRAM. 
(SetPerms) states that on the successful execution of setting permis¬ 
sions on NVRAM at time u, the permissions are correct at u. (Get- 
Perms) states that when the permissions on a particular NVRAM 
location is tied to the PCR p being h, then accessing that NVRAM 
location implies that the value of PCR p is h. (NVRAMPerms) 







states that if the permissions on a NVRAM location changes, then 
it must have been changed via a setNVRAMlocPerms action. 

We wish to show that the permissions on the NVRAM are 
always tied to the value of pcrl7 being sJiash: 

(SetNVPerms(i, Nloc, pcrl7) A vaLpcr(pcrl7, s.hash))@Ui 
> Ui). NVPerms(V/oc, pcrl7, 

( 6 ) 

Assume that for some time point Ui. 


Definitions 

NVContains(V^oc, s) = 3m.Contains(m, s) A va!_NV(m, s) 

Private(5, Nloc,u) = \/u' < u.(Send(i, m)@u => -'Contains(m, s) 

A VV/oc^(NVContains(V/oc, => (Nloc' = Nloc)) 

KeepsPrivate( 2 , s, Nloc) = Send(iy m) -'Contains(m, s) 

A W/oc^(WriteNV(7V/oc^ m) A Contains(m, s) 
=> Nloc = Nloc') 

NewlnLL(s, e) = New( 2 , s)@u lnLLSess(ii, e, i) 

Axioms 


SetNVPerms(i, Nloc, pcrl7) A vaLpcr(pcrl7, s.hash))@Ui 

(7) 

We now need to show that 

\/{u > Ui) => NVPerms(V/oc, pcrl7, s_/zas/i)@u 

Again, we prove this invariant by rely guarantee reasoning, where 
we choose ip, xfj and l to be the following. 


p{u) = NVPerms(Moc, pcrl7, s_/iash)@w 
■^(w, z) = (SetNVPerms(z, V/oc, p) 

(p = pcrl7) A vaLpcr(pcrl7, sjiash))^u 
i{i) = LLThread( 2 , runmodii/e) 

Expanding condition (1), we need to show the following 

NVPerms(V/oc, pcrl7, sJiash)^Ui 


(Shared) 


(POS) 


(Privatelnit) 

(New3) 

(Init) 


LLChain(/i, e)A 
NewlnLL(s, e)A 

\fu > t/i.l\IVPerms(A/oc, pcrl7, h) => 
e {ui, co] 

Private(s, Nloc, ui) A -'Private(s, Nloc, U 2 ) => 

3i, U 3 .(ui < U 3 <= U 2 ) 

(LLThread (z, e) 

-'KeepsPrivate(z, s, Nloc)’^uz)A 
Vzz E (izi, tz 3 )Private(s, A, tz)) 

(Private(s, Nloc, u) A Has(z, s)@zz ^ 

(Bu'.{u' < u) A l\lew(z, s)@zz^)V 

{3u'.{u' < u) A ReadNV(z, Nloc, m)@u' A Contains(m, s)) 
New(s)@zz Private(s, A/oc, zz) 

New(z, n)@zz A \^ew(i',n)@u' (i = i') A {u = u') 
Assumption about about service_init 
serviceJnit(z, skey, service, state, Nloc)@Ui => 

3tz.(iz < Ui) A Start{z, runmodule service Nloc INIT)@iz 


_ Figure 18. Definitions and Model-specific axioms about Secrecy 

This holds by Axiom (SetPerms) and[7l 

Expanding condition (2), choose i such that LLThread(i, runmodule). 

We need to show that Vu > Ui.{\/u' £ (m, u). fiu')) => ip{i, u). 

To use Honest, we need to show that runmodule satisfies the 
following invariant. 


h runmodule : 

\/u € {Ub, Ue]\/u' G [Ui, u). 
N\/Perms{Nloc,pcrl7, S-hash)@u' => 
SetNVPerms(i, Nloc,p)@u => 

(p = pcrl7) A vaLpcr(pcrl7, S-hash)@u 

( 8 ) 

Again, the key step in typing runmodule is to type the execu¬ 
tion of s supplied by the adversary using the CONFINE rule. Essen¬ 
tially, we show that the service is not allowed to set the permissions 
of Nloc at all. Each action / provided by the TPM interface can be 
confined to the type cmp(M(,, Ue,i.{x.ipc, Pc)), where pc is: 


/ : cmp(M6, Me, *• -iPCRPrefix(pcrl7, s_/ias/i)@U6 => 

Vm G [u6,tie]. (lnLLSess(u, nrnmodiile, i) 

=> Vp. -iSetNVRAMPerms(i, Aloe, p)@ti) 

(9) 

Condition (3) follows from (NVPerms), (GetPerms) and Q- 
In particular, we can show from|^and (GetPerms): 


(SetNVPerms(*, Nloc, pcrl7) A vaLpcr(pcrl7, S-hash))@Ui 
^ V(u > Ui). Readm{I, Nloc)@u 

=> vaLpcr(pcrl7, S-hash)@u 

( 10 ) 

And by[I] 


(SetNVPerms(i, Nloc, pcrl7) A vaLpcr(pcrl7, S-hash))@Ui 
=> y{u > Ui) ^ ReadNV(I, Nloc)@u 

=> lnSomeLLSess(M, rrinmodule) 

( 11 ) 

Therefore, by (LLAct), we have that 


(SetNVPerms(i, Nloc, pcrl7) A vaLpcr(pcrl7, S-hash))@Ui 
=> VJ, (u > Mi) ^ ReadNV(/, Nloc)@u 
lnLLSess(M, runmodnle, 7) 


( 12 ) 

This means that whenever, a thread i reads from the Nloc at 
time M, it must be the case that i is in a late launch session running 
runmodule at time u. 


1.1.3 Key Secrecy. 

Figure[T8]lists the definitions and axioms pertaining to key secrecy. 

The definition NVContains(A/oc, s) states that the NVRAM lo¬ 
cation Nloc contains the secret s. Private(s, Nloc, u) states that 
the secret s hash not been sent out on the network and the only 
NVRAM location it has been stored in is Nloc. KeepsPrivate(i, s, Nloc) 
states that whenever thread i sends a message, it does not contain 
the secret s. Additionally, it only stores s in Nloc. NewlnLL(s, e) 
states that s was generated in a late launch session of e. 

The axiom (Shared) states that if a secret is private at time 
Ml and not private at M 2 , then it must be the case, that at some 
point in the middle some thread violated KeepsPrivate(i, s, Nloc). 
(POS) states that if some thread posses a secret s that is private 
to Nloc, then it must have been either generated in that thread 
or read from Nloc. (Privatelnit) states that a secret is private as 
soon as it is generated. (New3) is an axiom about non-collision 
of nonce values. (Init) is a logical assumption we make that states 
that service.init can only be called by honest threads running 
runmodule. 

We now show that after initialization, if any thread j has the 
key corresponding to the service, then that thread must have read it 
from Nloc or that the thread j is the initialization thread itself. 





Vi, Mi, state, skey, Nloc 

service_init(i, skey, service, state, Nloc)@Ui 
Vj, M > Mi.Has(j, skey)@u => {j = i)V (13) 

3M',m.(Mi < u' < u) A ReadNV{j, Nloc, m)@u' 

A Contains(m, skey) 

Fix li, Ui, skey, service, Nloc. 

Assume service_init(7i, skey, service, state, Nloc)@Ui 

We proven 3 Ibv another rely-guarantee proof, very similar to the 
proof of Kerheros in Q. We choose the following tp, ip and t. 

<p(u) = Private(sfcej/, AZoc, m) 

'4>{i,u) = KeepsPn\/3te{i, skey, Nloc)@u 
t(i) = LLThread(i, runmodMie) 

To show condition (1): ip{ui) we can first show using (Init), 
(HON) and reasoning about ordering and atomicity of events that: 

3ui, M2, Ms, M4 .(ui < M 2 < Ms < M4 < Mi) 

VerifyPCR(pcrl7, S-hash)@ui 
New(sfcey)@M 2 A 

SetNVPerms(7i, Nloc, pcrl7)@MsA 
NVWrite(7i, Nloc, {skey, h))@U 4 A 
-iSetNVPerms(7i, Wioc, p) o (ms, Mi]A 
-i(Extend(7i, pcrl7,f) V Reset(7i, pcrl7)) o (mi,ms] 
-'Send(7i,m) o (Mi,Mi] 

(14) 

Now we can show using (Shared), (Privatelnit), (LLAct) and 
G1 that Private(sfce 2 /, Nloc, m) holds. Essentially, at Mi, s is still 
private because, the thread 7i did not leak the key, and no other 
thread was running in parallel. 

To prove condition (2) we again use the HONEST rule. However, 
the property required is not derived using CONFINE. The key step 
is to show that if the service, which is untrusted code, is not given 
the key as an input, then it cannot leak the key during execution. 

We do this by assuming that the original service that Memoir was 
initialized with had this property and then prove that the service 
passed into any session of Memoir has to be equal to the service 
was initialized with. This is where we require the Eq rule to be 
used. 

The key step here is the typing of the execution of s 

{s ExtendPCR ResetPCR ■ ■ ■) {EXEC{service-State, req)) 

Here, we use the Eq rule As we can show that s = service, by 
comparing the hash chains in PCR 17, we assign s the following 
type: 

(s ExtendPCR ResetPCR • • ■) : Hi : msg. cmp(Mi,, Me, i. 

(x : msg.-iContains(i, s) => -iContains(a;, s), 

KeepsSecret(i, skey, Nloc) o [m;,, Me])) 

(15) 

Condition (3) Follows from (Shared), and (112b . 

1.1.4 State to History Summary Correspondence. 

We state without proof an invariant that the history summary has 
a one-to-one correspondence with the state. This is proved through 
an induction on the history summary. 

Vi, Ui, state, skey, Nloc 

servicejnit(i, skey, state, Nloc, ....)@MiA =i> 

Mh, state, state', j, j'u,u' .u > Ui A u' > Ui ^ 
mac(j, skey, {state, h))@u A mac{j', skey, {state', h))@u' 
{state = state) 


1.1.5 State Continuity 

The property we prove about Memoir is as follows: 

'^Ui, state, state , skey, iinit, Sinit 

serviceJnit(ii„it, skey, service, Sinit)@Ui =>■ 

Vm > Ui. service_try(i, skey, state)@u => 

3j,u' < u. ((3s.service_invoke(y, skey,s,state)@u' 

V service_try(j, skey, state)@u' 

V servicejnit(j, skey, state)@u') 

A (Vy'. -iservice_invoke(j', skey, ■ ■ ■) o {u' , m])) 

(17) 

In the above statement, we elide unnecessary arguments in the 
flag predicates. This property states that for every execution attempt 
of the service with state state at time u, there exists a prior time 
point u' such that at u' either (1) service was invoked resulting in 
state state, or (2) there was an execution attempt of the service 
with state state' or (3) the service was initialized with state state. 
Additionally, since u', the service has not been invoked, which 
would have advanced the state of the service. This last clause rules 
out any rollback attacks. Each flag is indexed with the same secret 
key skey that the service was initialized with. This key ties all the 
flags in the property to to the same instance of Memoir. 

Fix an i, Ui, state, skey. 

Assume service_init(ii„it, skey, service, Si„it)@Ui 
For some u > Ui assume that 

service_try(i, skey, state, state')@u. (18) 

Therefore we have Has(i, skey)@u. By dOt we have that one 
of the two hold 

i — iinit^ 

3M'.Mi < u' < M.ReadNV(i, Nloc, m)@u' A Contains(m, skey) 

(19) 

We analyze each case: 

* Case i — iina. 

We have from (Init) and service skey, service, Si„it) 
that 

3m.(m < Ui) A Start(i, runmodule service Nloc INIT)@m 

With Honest, we can show that service_try does not occur on 
i and we have a contradiction. 

• Case 3 m' G (m^, M).ReadNV(i, Moc, m)@M'AContains(m, sfcet/) 
In this case, by (El We have that LLThread(j, runmodule) 
Therefore, by HONEST 

ReadNV(i, Moc, (sfcej/,/ i))@m' (20) 

By (NVRAMRead), we have that 3m” < u such that 

WriteNV(y, Nloc, {skey,h))@u"A 

Vj”.-'WriteNV(j”.Moc, m') o (m”, m'I ^ 

Again, by (112b and ( 121b we have that 

LLTh read{j, runmodule) (22) 

And by HONEST, as we know (121b . we can derive that 

mac(y, skey, {ENCskey {state', h)) (23) 

Also, from[T8]and HONEST we know that the branch at Line 12 
of runmodule executed. This gives us two cases: 

■ Case 1: 

verifyMAC(i, skey, {ENCskey {state), h)) 


( 16 ) 


(24) 


This is the case where the history summary h matches the 
MACed history summary. Froml24land (MAC), we have for 
some j' 

mac(j', skey, {ENCskay {state), h)) (25) 

By ( 116b along with (124b and ( 126b . we have state' = state 
We then have from ( 123b that there exists a u' such that 

service_invoke(j, skey, s', state)@u' 

\/ser\/\ceJn\t{j, skey, service, state)@u ^ ' 

Also, from (ED, we can show that Vj”. -iservice_invoke(j”, • • •). 
■ Case 2: 

verifyMAC(j, skey, {ENCskey{state),h') Ah — H{req\\h') 

(27) 

This is the case where at Line 12 of runmodule, the current 
history summary is the hash of the current request and the 
history summary in the snapshot. This means that Memoir 
was called with exactly the same request in the past and no 
other request has completed since then. This case proceeds 
similarly to Case 1. 


